This tutorial shows you how to set up strong SSL security on the Apache2 webserver.

**Disable SSLv2 and SSLv3**SSL v2 is insecure, so we need to disable it. We also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. SSLv3 allows exploiting of the

POODLE bug.

To do this, you'll have to edit the

*/usr/local/apache/conf.d/vhosts-ssl.conf* for every VirtualHost that you have.

After "

*SSLEngine on*" line, insert this line:

`SSLProtocol All -SSLv2 -SSLv3`

**The Cipher Suite**Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session. This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic. The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.

The following two ciphersuites are recommended by

Mozilla Foundation.

After "

*SSLProtocol All -SSLv2 -SSLv3*" line, add:

`SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH`

Or if you need backward compatibility (IE6/WinXP), add this line:

`SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4`

By using this configuration in your ssl vhosts, you are protected by POODLE attack and your server supports Forward Secrecy with modern browsers.