# Secure Apache against Logjam and get A+ on Qualys SSL Labs

## Duncan Mac Leod

To get an A+ on Qualys SSL Labs (https://www.ssllabs.com/ssltest/index.html) AND to prevent Logjam attacks (https://weakdh.org/sysadmin.html):

SSLProtocol all -SSLv2 -SSLv3

SSLCompression Off

SSLHonorCipherOrder On

SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!EDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

----------

## eccerr0r

Now I need to get a traceable (instead of a self-signed) certificate...

Thanks.

----------

## randalla

This helped us out a lot here in our office. I tested with Qualys and got the A+, and it seems that it still supports compatibility where we need it.

----------

