Harden Apache2 SSL

  • Hallo,

    if you are using secure connections you can check your page at different pages (e.g. https://www.ssllabs.com/ssltest/) to get an grade (A+ till F). By harden your SSL connection of apache you always have to keep in your mind the mobile devices. Most of them are not able to use the best up2date secure options. So the key is to find the best secure solution to get a secure and reachable webpage.

    Example SSLLabs test result: https://www.ssllabs.com/ssltest/analyze.html?d=inf-ro.de

    I am running Ubuntu 14.04 LTS using I-MSCP 1.2.x. Inside /etc/apache2/mods-available/ssl.conf I changed the following lines to get an "A":

    1. SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:HIGH:!MD5:!RC4:!DES:!MD5:!PSK:!aNULL:!eNULL:!EXPORT SSLHonorCipherOrder on SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

    And at the bottom I added:

    1. SSLCompression off
    2. SSLUseStapling on
    3. SSLStaplingResponderTimeout 5
    4. SSLStaplingReturnResponderErrors off
    5. #SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
    6. SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)"
    7. SSLStaplingResponseMaxAge 600

    If you have a better knowledge base on how to secure apache2 ssl - please tell me/us. With this configuration every modern mobile device is able to connect as well as PCs.

    Software which is not able to connect using my configuration:

    • IE 6 / XP
    • Java 6u45

    To get an "A+" I think you just need to enable "HSTS": https://raymii.org/s/tutorials…e_NGINX_and_Lighttpd.html

    Edited 2 times, last by UncleSam ().

  • I am using Mozilla's recommendation with a tweak. I removed any cipher without Forward Secrecy or with 3DES. This just creates an incompatibility with IE8/WinXP.

    This also supports Android 2.3+.

    Additionally, some people recommend generating your own DH primes.