Configuring your Apache Web Server can be rather involved because there are so many areas that touch the overall process, like which components of the server you are trying to configure and what you are trying to achieve from both performance and security protocols. So I’ll jump right into configuration from an e-commerce point of view, figuring how we’ll ensure our TLS (Transport Layer Security) or as it’s predecessor was called SSL (Secure Sockets Layer) configuration is locked-up tight. Forgive me if I refer to SSL from here on out as old habits are hard to break.
Let’s assume that you’ve already uncommented the line referring to “Secure (SSL /TLS) connections” as highlighted here #Include conf/extra/httpd-ssl.conf. Now here’s where things get a little easier for us as we can now turn to qualified resources for help in both the configuration and analysis of our TLS/SSL set-up.
First of all, let’s head over to the Mozilla SSL Configuration Generator and plugin a few pieces of important information like Server Version, OpenSSL Version and HSTS Enabled. You’ll want to make sure that you’ve entered your information in the appropriate fields e.g. Server Version 2.4.17 and that you have checked HSTS as “Enabled”. One more thing, you’ll also notice three radio button options for “Modern, Intermediate and Old”. They refer to compatible clients profiles so unless you have a compelling reason to potentially alienate your audience with either too “Modern” or too “Old” profile, stick with “Intermediate” as it’s your best bet for capturing the widest range of compatible client profiles, in other words your audience. For more information on “Recommended configurations” click here. So now you should see a read out of your ideal configuration like below:
<VirtualHost *:443> ... SSLEngine on SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs SSLCertificateKeyFile /path/to/private/key # Uncomment the following directive when using client certificate authentication #SSLCACertificateFile /path/to/ca_certs_for_client_authentication # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" ... </VirtualHost> # intermediate configuration, tweak to your needs SSLProtocol all -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000)
Make note of the path references and adjust accordingly. Once you’ve made the necessary path changes copy your newly created set-up, open your httpd-ssl.conf file and paste it below the commented lines below:
## SSL Virtual Host Context
Save and restart Apache, if everything was done correctly it should restart and you can then test your new configuration. Now let’s visit Qualys SSL Labs, a free online service that performs deep analysis of SSL web server configurations. Enter your secure web address (https://) and submit the site for analysis.
If all went smoothly you would see a nice big “A+” overall rating, congratulations!
If not, check your path references and client profile set-up, it’s probably something simple.
BTW, if you’re interested check out Comodo SSL Analyzer, it’s free of charge and provides essential knowledge regarding the security level of the SSL Certificate and web server software.
Even if you aren’t an SSL expert this setup and testing plan is straightforward allowing you to assess your TLS/SSL server configuration with confidence.