Recommended Apache config


#1

Is there a standard/recommended Apache config for using SSL.

My current one is based on various web sources, but things have probably moved on since I last looked in to it.

Thanks
Andrew

#SSL
SSLCertificateFile      /etc/letsencrypt/live/[dir]/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/[dir]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[dir]/chain.pem
 
#SSL stapling
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
 
# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off
SSLOptions +StrictRequire

#2

Yes, there is.

https://mozilla.github.io/server-side-tls/ssl-config-generator/


#3

[I was wrong - see _az’s reply below]
Thanks _az.
It seemed such an obvious question that there had to be an ‘official’ answer.
I tested the “mozilla” “modern” config with the ssllabs online test : https://www.ssllabs.com/ssltest/index.html
=> the mozilla config leaves out the chain file
=> the ssllabs test wants it (without it, got a B, with it, an A+)
Might be worth recommending the “mozilla config” it in the Letsencrypt documentation.


#4

If you pass fullchain.pem to SSLCertificateFile in Apache 2.4.8 or newer, it will automatically deal with chaining the intermediate for you.

If you enter your Apache version into the Server Version field on the config generator, it will automatically adjust the configuration for you, to reflect the above.

Same thing with OpenSSL version and the ciphersuite selection.


#5

Thanks again _az

This gets A+

This is an excerpt from the recommended config. Do I need the SSLCACertificateFile?

 SSLCertificateFile                  /etc/letsencrypt/live/[dir]/fullchain.pem
 SSLCertificateKeyFile            /etc/letsencrypt/live/[dir]/privkey.pem

 # Uncomment the following directive when using client certificate authentication
 # SSLCACertificateFile          /path/to/ca_certs_for_client_authentication

#6

No you don’t, it’s for client certificates which is used for mutual authentication (if you needed it, you’d know it).


#7

Thanks again!

_az’s solution is:

Use the config from https://mozilla.github.io/server-side-tls/ssl-config-generator/ with:

  SSLCertificateFile          /etc/letsencrypt/live/[dir]/fullchain.pem
  SSLCertificateKeyFile       /etc/letsencrypt/live/[dir]/privkey.pem

And don’t worry about the SSLCACertificateFile directive


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.