Thank you very much for that. If it’s not too much of a bother to you, can you answer this newb question ?
I don’t know much about what exactly OpenSSL is. Can you tell me if updating it will affect my websites or databases or php or anything else? I don’t wanna run into compatibility issues.
Additionally, I’d enable the cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) (ECDHE-RSA-AES256-SHA in OpenSSL 1.0.1) for supporting IE10. Some people cannot or don’t want to update to IE11, and if they have enabled TLS 1.2 in their Internet Settings like suggested, they could access your server.
HSTS is a pain for minor sites as you need to worry a lot more about your private keys.
You might want to enable OCSP stapling as that can help some with ssl performance. The intermediate settings from mozilla is a good practice imho. You might want to use https://mozilla.github.io/server-side-tls/ssl-config-generator/ as it makes your life easier just enter your version of apache and openssl and it will generate the apache configuration settings for you!
HSTS is neven an overkill. Just set it up as described there, and no customer/client/user –who has ever connected with the HSTS setup– will ever again hit the http port again, safely staying on the https port only. As I see, you have redirection to https already activated, so the remaining part is only the one configuration line in your TLS VirtualHost:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Certainly you will get different advice, even I myself do suggest different sets of ciphers, depending on the purpose of the server, and also depending on collected wisdom and practice.
Some want to help you get 4*100 on SSL Labs and advise only AES256 ciphers, other will tell you that AES256 is bad and you should stick with AES128 only. Some like ECDSA keys, other don’t want to trust them before new curves have found their way into servers and clients. You know, the truth lies somewhere in the middle.
Finally, the choice of ciphers and protocols highly depends on client backward compatibility. If you look at the Handshake Simulation section of the SSL Labs output, you will see quite some browsers will not be able to connect to your server at all. If you can live with that, just stay with your set of ciphers.
Your protocol and cipher selection, which is actually Mozilla’s Modern Security, is concise and secure, just disregard my suggestion then.
Well the problem with HSTS is if I for any reason want to/have to go back to http (which I can't imagine right now) would mean a lot of trouble for say next 6 months. I could lose a lot of traffic. And my puny little experience has taught me that in terms of web development, you can never imagine what's coming. So I want the flexibility of getting off the https wagon IF I have to. Makes sense?
And Yeah, I don't care much about supporting ancient browsers so Modern ciphers are fine for me.
A’right Guys. I think I’ll go with HSTS but not at the moment. This is not a new site and I can’t afford to take a new domain and start over so I need to play it safe. I’ll wait out for atleast 3 months and see how the renewal process goes. Then I’ll commit to https with HSTS.
I must thank all of you guys to help me achieve this. I’m very happy.