Apache SSL settings

As I’ve tried Detectify, and it has given me a lot of work to do, I’m gonna write a few of the settings that drastically improved the security of my sites.

The site was also tested on Qualys SSL Labs, and the information about securing Apache with SSL was comprised together from various forums and informational sites.

The following is the SSL excerpt from the vhost I’m using on my Apache web server. It is efective in mitigating SSL exploits, including BEAST and POODLE attacks, but only if you do not need SSLv3.

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA
!RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”

SSLCertificateFile /etc/ssl/certs/cert.crt
SSLCertificateKeyFile /etc/ssl/private/cert.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
SSLCACertificateFile /etc/ssl/certs/ca.pem

The settings explained:
SSLEngine on
Enables SSL on your vhost.
SSLProtocol all -SSLv2 -SSLv3
Enables the use of all SSL protocols, except SSLv2 and SSLv3.
SSLHonorCipherOrder on
Overrides the cipher order preference from the client with the one specified by the server.
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
The ciphers used by the server, specified by the order used. The exclamation point kills the use of the specified cipher, and it cannot be added later on.
SSLCertificateFile /etc/ssl/certs/cert.crt
Specifies the path to the certificate.
SSLCertificateKeyFile /etc/ssl/private/cert.key
Specifies the path to the key file.
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
Specifies the path to the intermediate certificate of the signing certificate authority, so that the whole certificate chain is provided by the server.
SSLCACertificateFile /etc/ssl/certs/ca.pem
Specifies the path the root certificate of the signing certificate authority.

Hope that helps someone.

EDIT 09-12-2014: Still prevents POODLE attack, removed RC4 from ciphers.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *