WARNING
This is a restrictive setup that will block access to some/many clients. Please evaluate your site and client base before enabling this! Read eva2000’s reply below first: HOWTO: A+ with all 100%'s on SSL Labs test using apache2.4 (READ WARNINGS)
Use at your own risk, I have no idea what I am doing!
I finally got all 100%'s on my scores…
Here’s my config for apache2.4:
-
4096 bit key:
You will need to generate a 4096 bit key instead of the default 2048 bit key to get the key exchange to 100%. To do this, runletsencrypt-auto
with this flag:--rsa-key-size 4096
./letsencrypt-auto --agree-dev-preview --server
https://acme-v01.api.letsencrypt.org/directory auth --rsa-key-size 4096 -
SSL Settings:
Add these directives to your apache2 config in the vhost section:SSLEngine on
SSLCompression off
SSLCipherSuite “HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128”
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
SSLUseStapling on -
SSL Certificate and Key File Settings:
Also add these directives to your apache2 config in the same vhost section. Keep in mind you need to update the path to your specific certificate and key that relate to your domain (<<< YOUR DOMAIN HERE >>>):SSLCertificateFile “/etc/letsencrypt/live/<<< YOUR DOMAIN HERE >>>/fullchain.pem”
SSLCertificateKeyFile “/etc/letsencrypt/live/<<< YOUR DOMAIN HERE >>>/privkey.pem” -
DH parameters:
Generate >=4096 dhparams using your openssl binary. This will take some time:openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
If you have openssl >= 1.0.2d installed (type openssl version
to find out), you can use the following line in your apache2 vhost config:
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
If you do not have openss >= 1.0.2d, you will need to append your dhparameters to the bottom of your certificate file:
cat /etc/letsencrypt/live/<<< YOUR DOMAIN HERE >>>/fullchain.pem \
/etc/ssl/private/dhparams_4096.pem > \
/etc/letsencrypt/archive/<<< YOUR DOMAIN HERE >>>/fullchain_dhparams_4096.pem
Then you will use this file in place of your SSLCertificateFile
above:
SSLCertificateFile "/etc/letsencrypt/archive/<<< YOUR DOMAIN HERE >>>/fullchain_dhparams_4096.pem"
Keep in mind that if you manipulate the certificate (issue a new one, etc), you will need to repeat this step as the dhparams will not be added to that certificate!
-
Headers:
You need to set a Public-Key-Pin header. Generate the first pin against the letsencrypt chain cert with the following code (read more here: https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html):openssl x509 -noout -in /etc/letsencrypt/live/<<<< YOUR DOMAIN HERE >>>>/chain.pem -pubkey |
openssl asn1parse -noout -inform pem -out /tmp/fingerprint.key;
openssl dgst -sha256 -binary /tmp/fingerprint.key | openssl enc -base64
The next pin comes from your private key. You should keep this key in a safe place:
openssl x509 -noout -in /etc/letsencrypt/live/<<<< YOUR DOMAIN HERE >>>>/privkey.pem -pubkey | \
openssl asn1parse -noout -inform pem -out /tmp/fingerprint.key;
openssl dgst -sha256 -binary /tmp/fingerprint.key | openssl enc -base64
You will use these fingerprints in the section below (<<< YOUR CUSTOM PIN HERE >>>).
I haven’t figured out a good programmatic way to get the chain cert keys, but I have found that you can get them with https://dev.ssllabs.com/ssltest/analyze.html by analyzing your own site once it’s already running.
Also add these directives to your apache2 config in the same vhost section:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set Public-Key-Pins "pin-sha256=\"<<< YOUR CHAIN PIN HERE >>>=\"; pin-sha256=\"<<< YOUR PRIVATE KEY PIN HERE >>>\"; max-age=31536000; includeSubDomains"
Header always set X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Header always set X-Content-Type-Options nosniff
-
SSL Stapling Cache:
Add the following line to your ssl.conf/etc/apache2/conf-available/ssl.conf
file:echo ‘SSLStaplingCache shmcb:/tmp/stapling_cache(2097152)’ >>
/etc/apache2/conf-available/ssl.conf`
Enable your ssl.conf
file:
a2enconf ssl
-
Restart Apache:
service apache2 restart
-
Test your site at https://www.ssllabs.com/ssltest/analyze.html. You’re done!