This is for Apache (& Iām running Ubuntu 14.04)
I had been previously running my OC setup on my Mac Mini and found this awesome post (LinkedIN walled) OR (Google cached version) outlining SSL security settings that worked quite well last year. Caveat that since this guys post came out Apple did update OSX Server to allow TLS v1.1 & 1.2 and I ran it perfectly then too for those OSX server users.
Now Iām on a new install of NextCloud with Ubuntu 14.04 as mentioned.
Long story short, for you folks running Apache feel free to look into these settings but theyāre giving me a A+ on SSLLabs with a fresh install/new server of NextCloud 10ās already great Security & Hardening guidance & implementations of HSTS settings etc.
#Open
#/etc/apache2/mods-available/ssl.conf
to make changes
#Enable only secure ciphers:
SSLCipherSuite whatever
ā¦mine had SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
to
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-\ SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:\ ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:\ ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:\ ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-\ AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-\ SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\ AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!\ DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!\ KRB5-DES-CBC3-SHA
#Cipher Order for forced best supported TLS crypto
AND uncomment/delete default ā#ā then changeā¦
**
#
**SSLHonorCipherOrder on
to
SSLHonorCipherOrder On
ssl Protocol
SSLProtocol all
to
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
*Note, +TLSv1 is required by the NC desktop client so forcing only 1.1 & 1.2 canāt be done.
Adding SSLEngine On as he instrusts to this file ssl.conf
gives me an Apache failed error. I havenāt researched why but it is also on and default in the etc/apache2/sites-available/default-ssl.conf
file so I donāt think itās needed here. Test your settings incrementally with service apache2 restart
Btw, Iām running a cron certbot by LetsEncrypt w a RSA 4096 bit key strength.
On initial auto install per Lets Encryptās Ubuntu + Apache instructions add ārsa-key-size 4096
certbot-auto --rsa-key-size 4096
I look forward to hearing others TLS settings to keep our NextCloud server ahead of the game.