Apache SSL Configuration Snippets

Wed 01 March 2015
By alex

Certificates, Protocols and Options

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/cert.pem
SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on          # Ciphers specified by the server take precedence
# Optional, defaults to off
SSLInsecureRenegotiation off    # Mitigates CVE-2009-3555
SSLCompression off              # Mitigates CRIME and BEAST attacks (Apache 2.4 only)

Cipher Suites

See Mozilla TLS Recommendations

Modern

This meets Perfect Forward Secrecy standards

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

or

SSLCipherSuite AES256+EECDH:AES256+EDH

Compatible

This will achieve a Cipher Strength of 90 from Qualys

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

or

SSLCipherSuite HIGH:!MD5:!RC4:!aNULL:!eNULL:!EXP

Legacy

Avoid using where possible

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

HSTS

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

OCSP Stapling

SSLStaplingCache shmcb:/tmp/stapling_cache(128000) # place outside <virtualhost></virtualhost>
SSLCACertificateFile /etc/apache2/ssl/ca-certs.pem
SSLUseStapling on

So what's all this mean?

SSL is bad, disable it and use TLS exclusivly ( see wikipedia's listing of SSL vulnerabilities)

We want the server, not the client, to mandate the order in which SSL ciphers will be used

HTTP Strict-Transport-Security (HSTS) is a policy that explicity tells web clients to use the HTTPS version of a resource. When a webserver redirects a non-HTTP request to an HTTPS version of the same site, HSTS mandates that the webserver includes a Strict-Transport-Security header telling the client to use the secure site.

Disabling SSL compression mitigates the CRIME and BREACH attacks. The SSLCompression directive is available in apache >= 2.4.3. The default setting is off.

Disabling insecure renegotiation mitigates CVE-2009-3555. The SSLInsecureRenegotiation directive is available in apache >= 2.2.15. The default setting is off.

OCSP staping is cool because it lets the webserver verify the certificate revokation status (OCSP/CRL) and relay that information to the client. This alleviates each client from contacting the OSCP server. Sweet.

There's a ton of ciphers to choose from when configuring SSLCipherSuite and it can be overwhelming. There are aliases that can be used (HIGH, MEDIUM, LOW) but the only one that's acceptable to use anymore is HIGH. Aliases do work, SSLCipherSuite HIGH:!MD5:!RC4:!aNULL:!eNULL:!EXP but for the best control (speed vs. security) explicitly defining ciphers should be used.

Forward Secrecy ( aka Perfect Forward Secrecy or PFS) is not a setting, but rather it's a standard that's achieved when secure key-exchange ciphers are used. These secure ciphers are deemed to provide a level of encryption that will prevent future decryption attacks given a reasonable amount of time

There are alot of SSLCipherSuite configurations floating around the Internet. Alot of these are old and may no longer be the recommended configuration. Mozilla has an extremely comprehensive writeup of implementing encryption and the ciphers they recommend using, including use cases for each set.

So now what?

Setup your servers and test your configurations using the Qualys SSL Analyzer and GlobalSign's SSL Checker. Remember, only you can prevent shitty encryption on your sites.

Links:

Mozilla Server Side TLS

GlobalSign SSL Checker

Qualys SSL Analyzer

Strong SSL on Apache

Configure Forward Secrecy

Strict Transport Security

Configure OCSP Stapling on Apache and Nginx