httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Mehler <dave.meh...@gmail.com>
Subject Re: [users@httpd] Enabling Forward secrecy on SSL
Date Fri, 17 Mar 2017 19:12:55 GMT
Hello,

Try this configuration. If anyone can take a look at this setup if
I've missed something or need to get a protocol adjustment let me
know. I get an A+ on ssllabs.

Hth
Dave.

httpd-ssl.conf:
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512

# OCSP Stapling settings
SSLUseStapling On
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLStaplingResponderTimeout 15
SSLStaplingReturnResponderErrors off
SSLStaplingStandardCacheTimeout 3600

# For modern configuration
SSLProtocol all -SSLv2 -SSLv3
        # Enable PFS
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression Off
SSLSessionTickets Off
# Strong dh parameters file
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"

# For temporary legacy intermediate clients
#SSLProtocol             all -SSLv2 -SSLv3
#SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#SSLHonorCipherOrder     on
#SSLCompression          off
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache24/sslvhost"
ServerName www.example.com:443
ServerAdmin webmaster@example.com
ErrorLog "/var/log/http-ssl-error.log"
TransferLog "/var/log/httpd-ssl-access.log"
SSLEngine on
SSLCertificateFile
"/usr/local/etc/letsencrypt/live/webmail.example.com/fullchain.pem"
SSLCertificateKeyFile
"/usr/local/etc/letsencrypt/live/webmail.example.com/privkey.pem"

# harden with http strict transport security
# Add 6 month HSTS header for all users
#Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
    Header always set Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload"

# Avoid click jacking
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
	<Directory /usr/local/www/apache24/sslvhost>
Require all granted
Options FollowSymLinks
AllowOverRide none
	</Directory>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
CustomLog "/var/log/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


On 3/17/17, Chunduru, Krishnachaithanya
<Krishnachaithanya.Chunduru@broadridge.com> wrote:
> Hi All,
>
> Can someone advise me on how to achieve the below on a server running with
> Apache SSL enabled.
>
>
> *         SSL - Supports Weak Encryption  The following protocols should be
> switched on - TLS 1.2, TLS 1.1, TLS 1.0. SSL 3 and SSL 2 should be
> disabled.
>
> *         Weak Configuration - SSL/TLS - Deprecated Protocol: Disable the
> use of SSL 2.0 and 3.0 as well as TLS 1.0. Use TLS 1.1, 1.2, or later and
> set the latest protocol as preferred.
>
> *         The Server Does Not Support Forward Secrecy :
>
> Regards,
> Krishna
>
>
> This message and any attachments are intended only for the use of the
> addressee and may contain information that is privileged and confidential.
> If the reader of the message is not the intended recipient or an authorized
> representative of the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by e-mail
> and delete the message and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message