Create an Apache web server which accepts strong encryption only.
The following will provide a strong SSL security compatible with all modern browsers. In short, they set a strong Forward Secrecy enabled ciphersuite, they disable SSLv2 and SSLv3, and enable OCSP Stapling.
Edit your Apache configuration file
/etc/apache2/conf.d/ssl.conf and add the following:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# OCSP Stapling, only in httpd 2.3.3 and later
[root@nowherelan]# systemctl reload httpd.service
Use the following online tools to remotely check your site for which protocols and cipher suites it permits:
The following enables only the strongest ciphers:
While with the following configuration you specify a preference for specific speed-optimized ciphers (which will be selected by mod_ssl, provided that they are supported by the client):
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on
When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client’s preference is used. If the SSLHonorCipherOrder directive is enabled, the server’s preference will be used instead.
The CRIME attack uses SSL Compression in its exploit, so we can choose to disable that
The Online Certificate Status Protocol (OCSP) is a mechanism for determining whether or not a server certificate has been revoked, and OCSP Stapling is a special form of this in which the server, such as httpd and mod_ssl, maintains current OCSP responses for its certificates and sends them to clients which communicate with the server. Most certificates contain the address of an OCSP responder maintained by the issuing Certificate Authority, and mod_ssl can communicate with that responder to obtain a signed response that can be sent to clients communicating with the server.
Because the client can obtain the certificate revocation status from the server, without requiring an extra connection from the client to the Certificate Authority, OCSP Stapling is the preferred way for the revocation status to be obtained. Other benefits of eliminating the communication between clients and the Certificate Authority are that the client browsing history is not exposed to the Certificate Authority and obtaining status is more reliable by not depending on potentially heavily loaded Certificate Authority servers.
Because the response obtained by the server can be reused for all clients using the same certificate during the time that the response is valid, the overhead for the server is minimal.
Once general SSL support has been configured properly, enabling OCSP Stapling generally requires only very minor modifications to the httpd configuration — the addition of these two directives:
My System Configuration
- CentOS 7
- Apache 2.4
- https://cipherli.st/ – List of Strong Ciphers for Apache
- https://ssl-config.mozilla.org/ – Mozilla SSL Configuration Generator
One thought on “SSL/TLS Strong Encryption in Apache”
RC4-SHA? Really. This is absolute bs.