Author Topic: [Tutorial] Strong SSL Security for Apache  (Read 4154 times)

0 Members and 2 Guests are viewing this topic.

[Tutorial] Strong SSL Security for Apache
« on: November 10, 2015, 12:52:30 PM »
This tutorial shows you how to set up strong SSL security on the Apache2 webserver.

Disable SSLv2 and SSLv3
SSL v2 is insecure, so we need to disable it. We also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. SSLv3 allows exploiting of the POODLE bug.

To do this, you'll have to edit the /usr/local/apache/conf.d/vhosts-ssl.conf for every VirtualHost that you have.
After "SSLEngine on" line, insert this line:

Code: [Select]
SSLProtocol All -SSLv2 -SSLv3
The Cipher Suite
Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session. This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic. The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.

The following two ciphersuites are recommended by Mozilla Foundation.
After "SSLProtocol All -SSLv2 -SSLv3" line, add:

Code: [Select]
Or if you need backward compatibility (IE6/WinXP), add this line:
Code: [Select]
By using this configuration in your ssl vhosts, you are protected by POODLE attack and your server supports Forward Secrecy with modern browsers.