[root@centos ~]# vi /etc/httpd/conf.d/ssl.conf ← SSL設定ファイル編集
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 ← TLS 1.2のみ有効
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ← 追加(使用する暗号化方法)
SSLHonorCipherOrder on ← 追加(暗号化方法をサーバー側で決定)
Header always set Strict-Transport-Security "max-age=15768000" ← 追加(HSTS=常時HTTPSアクセスの有効化)
</VirtualHost>
|
|