https://www.ssllabs.com/ssltest/
刪除支持SSLv2 SSLv3 TLSv1 TLSv1.1, 保留TLSv1.2, TLSv1.3
另外這個SSLCipherSuite SSLHonorCipherOrder應該是以High順序, 停用另外3個
vi /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
.
.
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on
.
.
</VirtualHost>
</IfModule>
設定HSTS, 當Browser過這台server的網頁一年之內都預設使用https, 而且証書錯誤亦不能略過, 小心使用
sudo a2enmod headers
systemctl restart apache2
vi /etc/apache2/conf-available/security.conf
Header always set Strict-Transport-Security "max-age=31536000;includeSubdomains; preload"
systemctl restart apache2
Reference
https://www.leaderssl.com/news/471-how-to-disable-outdated-versions-of-ssl-tls-in-apache