How To Configure SSL For Apache Securely

I’ve been doing some reading up on best practices for SSL. From what I can gather, and seeing what other big sites are doing this seems to be the best practice as of today. This is assuming you’re in an OpenSSL 0.9.x (via mod_ssl) and Apache2 world, which is the majority of Linux/Unix based environments. Use a 2048 bits key SHA1 signed cert. Which is now pretty much standard.

SSLHonorCipherOrder On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

That will disable potentially insecure cyphers and help mitigate a BEAST attack. Note that this disables SSL 2.0 which shouldn’t be necessary for the vast majority of visitors. I don’t think many websites still support it.

One thought on “How To Configure SSL For Apache Securely

  1. why in the world should !EDH:!AESGCM help mitigate a BEAST attack?

    in fact it disables PFS for some browsers and by disable GCM you are doing the most stupid possible thing by disable ECDHE-RSA-AES128-GCM-SHA256 which is the best available option and currently not supported by browsers what will change in the near future

    here you go to prove your statements: https://www.ssllabs.com/ssltest/

Leave a Reply

Your email address will not be published. Required fields are marked *