Is someone aware of that ? Virtualmin doesn’t handle CAA records in DNS, I guess I can still add it manually but is it legitimate ? Didn’t find much infos about that on the net !
No no, you have to add it in Bind template for zone !
Virtualmin -> System Settings -> Server Templates -> Default Settings -> BIND DNS Domain
In the first field "BIND DNS records for new domains you add the two lines I indicated and you save !
You have also to remove all ciphers that are 128bits or less in your Apache config and then you should get A grade on that test like me:
Dear vincen.
many thanks for the tip. Now i also have a A- certificate. which is quite great. But I am also intrested in obtaining a A+ certificate
do to my domain -> Services -> Configure Website for SSL and where it says SSL protocols I see that TLSv1. is marked.
But when I do what you say the apache doesn´t start
You have also to remove all ciphers that are 128bits or less in your Apache config and then you should get A grade on that test like me:
log in to webmin - webmin panel - Apache Webserver - click on the virtual server you want to change - in the new screen click on ‘edit directives’ - put your changes in there and restart Apache
I have this: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
When i leave it in : SSLProtocol TLSv1
as said, the apache doesn´t restart. when restoring the line everything works again.
Can you please let me know what I might be doing wrong?
You should check the error when you try to restart Apache and it doesn’t want ! You are probably missing some modules not activated in Apache or not installed because normally only TLS 1.2 should be active, everything else off !!
I added also these directives to make it more secure in ssl.conf of Apache (be careful to activate the headers module in Apache first or you won’t be able to restart Apache after modifications ! SSLHonorCipherOrder on
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
TLS 1 and 1.1 are now considered as weak so they should not be activated ! It’s not because lot of outdated and insecure devices are in the field that you should continue to use outdated and weak protocol no ?
I’m using it on all websites of my clients and still get A+ score, so definitely they are not obsolete. Some things i like to push to the never versions (e.g. PHP) but some is better to hold the middle ground. I dont really want to cut XX% of mobile/tablet users especially when it comes to more serious/demanding clients.
Plus depends on your configuration if TLSv1.0 and 1.1 will be secure or not, what chipper and so on. For example if nothing changed IE 7-10 dont support 1.1 by default and only IE 11 have this enabled. Who knows how many mobile phones and tablets have same situation. This are pretty big numbers to be so easy cut off from your website (especially from your clients). Balance is the key word here.
Only reason to disable TLSv1.0 would be PCI compliance, still you can use other two without any problem.