Die Anleitungen in diesem Dokument wurden auf Basis folgender Softwareversionen erstellt.

• OS: CentOS 7
• Webserver: Apache 2.4.6

Laut der Website bettercrypto.org werden folgende SSL Einstellungen empfohlen:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off

# Add six earth month HSTS header for all users...
Header always set Strict-Transport-Security "max-age=15768000"

# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
# HTTP Public Key Pinning (HPKP) for 90 days (60*60*24*90=7776000)
# At least use one Backup-Key and/or add whole CA, think of Cert-Updates!

Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"\
\YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\""

SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH\
\:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!\
\RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'

Damit entspricht man den aktuellen SSL Einstellungen. Diese Einstellungen werden pro VHost vorgenommen.

• Apache 2.2.22, Debian Wheezy with OpenSSL 1.0.1e
• Apache 2.4.6, Debian Jessie with OpenSSL 1.0.1e
• Apache 2.4.10, Debian Jessie 8.2 with OpenSSL 1.0.1k
• Apache 2.4.7, Ubuntu 14.04.2 Trusty with Openssl 1.0.1f
• Apache 2.4.6, CentOS Linux 7 (Core) with OpenSSL 1.0.1e