To hide web server version number, server operating system details, installed Apache modules and more, open your Apache web server configuration file using your favorite editor:
$ sudo vi /etc/apache2/apache2.conf #Debian/Ubuntu systems $ sudo vi /etc/httpd/conf/httpd.conf #RHEL/CentOS systems
And add/modify/append the lines below:
ServerTokens Prod ServerSignature Off
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
If Fortinet name appears in SSLLab scans and you get a T.
When changing certificates on the 60E make sure the SSL/SSH Inspection Deep Certificates do have the actual certificate listed on each entry or you will get Fortinet coming up in SSLLab scans
This will put the repository to get to the latest version of Apache 2.
sudo add-apt-repository ppa:ondrej/apache2
sudo apt update
sudo apt install apache2
Enable SSL on Apache2
sudo a2enmod ssl
sudo a2enmod headers
sudo service apache2 restart
See sections on OCSP Stapling and DNS CAA for more information.
Final sites-available configuration file
# OCSP Stapling
SSLCryptoDevice dynamic
SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
SSLSessionCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_scache(512000)
Mutex file:/var/log/apache2/wp.scsiraidguru.com/ ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin
ServerName scsiraidguru.com
Redirect permanent / https://scsiraidguru.com
ServerName www.scsiraidguru.com
Redirect permanent / https://www.scsiraidguru.com
ServerName wp.scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com
ServerName science.scsiraidguru.com
Redirect permanent / https://science.scsiraidguru.com
ServerName virl.scsiraidguru.com
Redirect permanent / https://virl.scsiraidguru.com
ServerName scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
ServerName www.scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
ServerName wp.scsiraidguru.com
ServerAdmin mike.mckenney@scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com
DocumentRoot /var/www/wp.scsiraidguru.com/public_html
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/xxxxxx.crt
SSLCertificateKeyFile /etc/apache2/ssl/xxxxx.key
SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
SSLOpenSSLConfCmd DHParameters “/etc/apache2/ssl/dhxxxxx.pem”
SSLOCSPEnable on
SSLUseStapling on
SSLOCSPResponseMaxAge 900
SSLOCSPResponseTimeSkew 300
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
# Header set Set-Cookie HttpOnly;Secure: WordPress won’t work
Header set X-XSS-Protection “1; mode=block”
Header set Referrer-Policy “origin”
ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined
## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
## Permission for our DocumentRoot ##
Options Indexes FollowSymLinks
AllowOverride All
SSL Labs.com rating for this site
Testing TLS_FALLBACK_SCSV
My servers only support tls1.2 and tls1.3. They can’t fall back to TSL1.1 or earlier. I found this string from that tests for it.
openssl s_client -connect wp.scsiraidguru.com:443 -fallback_scsv -no_tls1_2
CONNECTED(00000003)
140092949538112:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 7 bytes and written 134 bytes
Verification: OK
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1590750080
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
—
SSL alert number 70 is The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.