That's a very broad question. I myself am inclined to say "no", because I'm not seeing a lot of effort from your side to get to the bottom of this. Also, in combination with your other thread, I'm not sure if you're the right person to set up these kinds of websites at the moment, because of lack of knowledge. I would suggest first you read a lot of information about how TLS (SSL is the old name for the current TLS standard(s)) actually works before we can even start to help you. You need to UNDERSTAND what you're doing. We can hold your hand and tell you what to do (i.e.: give you a fish, so you can eat for one day), but it's far more wiser for you to educate yourself, perhaps with little aid from sites like this community (i.e.: learn how to fish, so you can eat for the rest of your life).
I do not use Apache anymore but this is more how your conf file should look like for a vhost. As @Osiris said you must understand what you are doing and why, copy and paste learning can get you into trouble if you are not sure what you are copying and pasting and what it does. But here’s a sample config from when I last used apache some 9 months ago.
As the others have said, it’s important to understand what you’re doing, as the wrong settings can prevent your server from functioning until fixed or leave you with a very insecure configuration. If you’re unsure, always keep a backup of the contents for the files you’re editing.
That said, some of the settings are okay to copy and paste if you use a good source. In general, you don’t need to worry about the revocation, verify and a few other configuration parameters as they apply to client-supplied certificates or other specialized configurations.
The config generator you linked is a good source for many of the settings, just make sure you put the right versions in the form so you’re getting settings that will work with your configuration. Unless you know viewers are going to use very old browsers or strictly new ones, the “intermediate” settings are your best option.
Sorry If i give you the impression i wasn’t looking to understand and not trying to do by myself.
In fact That’s what i was coming for, understand the parameter
So I will tell you what i understood and hope you can correct if I’m wrong
SSLProtocol
define protocol
–> SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite
if I understood this is defined by my openssl version, actually 1.0.1f
so
–> SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder
must follow server order
–> on
SSLCompression
–> off
!!! Enabling compression causes security (CRIME attack).
SSLSessionTickets
–>off
Using them without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy.
#############################################
To be removed, as those parametre are used when we know clients as on intranet SSLCACertificatePath SSLCACertificateFile SSLCARevocationPath SSLCARevocationFile SSLVerifyClient SSLVerifyDepth