===== SSL scan result =====

The latest SSL Labs' scan is from 2020-10-14. The previous scan was from 2019-12-31, when I just added TLSv1.3 2018, and the one before that from 2018. I first used SSL Labs' scan in 2016. A fresh scan can be started by [[https://www.ssllabs.com/ssltest/analyze.html?d=www.malleus.se&hideResults=on|clicking here.]]

{{:all:ssllabstest201015.png?|Scan result from SSL Labs, Oct 14, 2020.}}


The key TLS configuration I use in the https virtual host is (for Apache 2.4):

<code>
...
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLOpenSSLConfCmd DHParameters "etc/apache24/dh4096.pem"
SSLOpenSSLConfCmd ECDHParameters Automatic

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

SSLCompression off
SSLHonorCipherOrder on
SSLSessionTickets off

SSLSessionCache shmcb:/var/run/httpd_ssl_scache(512000)
SSLSessionCacheTimeout 300

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/httpd_oscp(128000)

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
...
</code>

When I upgrade to next Apache httpd, I'll see if I can make use of [[https://en.wikipedia.org/wiki/Certificate_Transparency|Certificate Transparency]]. In httpd 2.5 the directive is CTStaticLogConfig.