Apache Strong SSL config

So only enable SSL on Apache is not good enough there are some config to add to
apache to make it stronger.

 

This are the setting i use in my apache ssl configs.

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Header add Strict-Transport-Security "max-age=15768000"
SSLCompression off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

And for generating you cert I use

openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key

If you plan to get a signing request

openssl req -newkey rsa:2048 -days 365 -nodes -keyout www.mydomain.com.key -out www.mydomain.com.csr

Then change your ssl settings to

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.mydomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.mydomain.com.key
SSLCACertificateFile /etc/apache2/ssl/verisign.cer

 

I got my settings from this great places

https://library.linode.com/web-servers/apache/ssl-guides/ubuntu-12.04-precise-pangolin

https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

 

Leave a Reply

%d bloggers like this: