So only enable SSL on Apache is not good enough there are some config to add to
apache to make it stronger.
This are the setting i use in my apache ssl configs.
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Header add Strict-Transport-Security "max-age=15768000" SSLCompression off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
And for generating you cert I use
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key
If you plan to get a signing request
openssl req -newkey rsa:2048 -days 365 -nodes -keyout www.mydomain.com.key -out www.mydomain.com.csr
Then change your ssl settings to
SSLEngine On SSLCertificateFile /etc/apache2/ssl/www.mydomain.com.crt SSLCertificateKeyFile /etc/apache2/ssl/www.mydomain.com.key SSLCACertificateFile /etc/apache2/ssl/verisign.cer
I got my settings from this great places
https://library.linode.com/web-servers/apache/ssl-guides/ubuntu-12.04-precise-pangolin
https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/
https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html