Server: Apache Security Best Practice

Recent security issues with the SSL library require Apache administrators to update their server configurations accordingly…

SSL is Dead. Long live TLS!

The so called “POODLE Attack” (CVE-2014-3566) did “bury” the SSL libraries once and for all. The are not considered secure anymore.

BetterCrypto

The BetterCrypto alliance pretty much summarizes reasons and examples of how to securely configure not only the Apache server. The Applied Crypto Hardening handbook can be found here.

Apache

Edit the respective SSL-related configuration statements and set the following values:

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
# Add six earth month HSTS header for all users...
Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"

When generating a self signed certificate, consider using 4096-bit modulus for RSA (or 2048-bit for high volume traffic server) and SHA-2 with 256-bit digest length.

openssl req -x509 -days 365 -newkey rsa:4096 -sha256 -nodes -keyout localhost.key -out localhost.crt

Verification

Test your Apache web server setup using the ssllabs.com tool. If your server is graded “A” or more, you know you did a good job 🙂

Advertisements
This entry was posted in BSD, Linux, Server and tagged , , , , , , , . Bookmark the permalink.