I am studying for my CISSP certification. One of the domains goes over encryption. Here is the basic configuration for my apache SSL security. I decided to spend some time breaking it down.
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
The SSL Cipher Suite configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
Provide a balance of TLS 1.2 and TLS 1.3 ciphers that are High level. It disables the weak ciphers. Lily @ SSLLabs.com recommended disabling the Safari 6 to 8 ciphers.
SSLProtocol -all +TLSv1.3 +TLSv1.2
The devices listed on the other page SSL Configuration shows you what ones are allowed and not allowed. the setting -all turns off everything. I am only allowing TLS v1.2 and TLS v1.3. I have seen many debates on only allowing TLS v1.3. Many older devices outside the US, UK and EU still use TLS v1.2. TLS v1.2 is still considered good.
I read TLS v1.3 has issues.
TLS v1.3 was first released April 17, 2014.
OpenSSL 1.1.1 release includes support for TLSv1.3 was first released September 11th, 2018
OpenSSL 1.1.1 has issues.
OpenSSL 1.1.1i released December 8, 2020
OpenSSL 1.1.1 < 1.1.1i Null Pointer Dereference Vulnerability
Note: The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version, supported until 11th September 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encourage to upgrade to 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security fixes for that version is available. I have an entire page on OpenSSL Upgrade Openssl
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
X25519:
Curve 25519
128 bits of security (256 bits key size)
designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme.
It is one of the fastest ECC curves
The reference implementation is public domain software
The protocol uses compressed elliptic point (only X coordinates), so it allows efficient use of the Montgomery ladder for ECDH, using only XZ coordinates.[6]