A better SSL configuration for Apache 2

Tags: security, linux

Published on Saturday, January 25, 2014

« Previous post: EtherCurve, a tool for visualizing … — Next post: Building a FreeBSD NAS, part III: ZFS »

RC4 with TLS has been broken for quite some time now, but I did not yet manage to make the switch. Having a little time on my hands, I decided to future-proof my Apache configuration.

Basically, what I want to do is:

Disable ciphers for SSL that have known weaknesses. RC4, I am looking at you. DES, yes, you are meant as well. This includes ciphers that are marked EXPORT.
Use TLS 1.2 instead of the older versions.
Enable “Perfect forward secrecy” to annoy the NSA. Yes, using encryption might make you a target. They also admitted to storing encrypted session data with the express purpose of maybe being able to decrypt it after obtaining the private key of the server. Good luck with that.

It took me a while to collate the necessary information, but I finally managed to arrive at the following configuration for Apache:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCompression Off

Unfortunately, squeeze does not ship with OpenSSL 1.0 and Apache 2.4, which means that not all ciphers are currently supported. Thus, perfect forward secrecy will only work with a few choice browsers, but at least the configuration is better than it was before.

Some references which proved very helpful:

Hynek Schlawack’s notes on hardening SSL ciphers
The Apache documentation for mod_ssl. I am liking to the most recent version altough my server does not support it yet.
An interesting discussion on Information Security Stack Exchange. Thomas Pornin’s answer was very detailed.