Fix Common SSL/TLS Problems in Apache2

Qualys SSL Labs has some great tools to check your server’s SSL/TLS installation to make sure they don’t fall victim to common vulnerabilities or exploits that seem to be discovered every month. If you’re running an Apache2 installation, securing your server against most SSL/TLS vulnerabilities is as easy as enabling the headers Apache module, and then a few lines to your SSL configuration.

First, enable the headers module so Apache2 can modify headers sent to the client:

pengc99@alpha:~$ sudo a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
 service apache2 restart
pengc99@alpha:~$

Then add the following lines to your SSL configuration:

# Make the server secure
 SSLProtocol all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!DH

Restart your server:

pengc99@alpha:~$ sudo /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .
pengc99@alpha:~$

That’s it! Now go run the test at https://www.ssllabs.com/ssltest/ and marvel at your server’s newfound security!

ssl

Continue Reading