Recommended Apache config

aavmurphy · April 1, 2018, 9:46am

Is there a standard/recommended Apache config for using SSL.

My current one is based on various web sources, but things have probably moved on since I last looked in to it.

Thanks
Andrew

#SSL
SSLCertificateFile      /etc/letsencrypt/live/[dir]/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/[dir]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[dir]/chain.pem
 
#SSL stapling
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
 
# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off
SSLOptions +StrictRequire

_az · April 1, 2018, 10:02am

Yes, there is.

https://mozilla.github.io/server-side-tls/ssl-config-generator/

aavmurphy · April 1, 2018, 7:11pm

[I was wrong - see _az’s reply below]
Thanks _az.
It seemed such an obvious question that there had to be an ‘official’ answer.
I tested the “mozilla” “modern” config with the ssllabs online test : https://www.ssllabs.com/ssltest/index.html
=> the mozilla config leaves out the chain file
=> the ssllabs test wants it (without it, got a B, with it, an A+)
Might be worth recommending the “mozilla config” it in the Letsencrypt documentation.

_az · April 1, 2018, 10:33pm

If you pass fullchain.pem to SSLCertificateFile in Apache 2.4.8 or newer, it will automatically deal with chaining the intermediate for you.

If you enter your Apache version into the Server Version field on the config generator, it will automatically adjust the configuration for you, to reflect the above.

Same thing with OpenSSL version and the ciphersuite selection.

aavmurphy · April 2, 2018, 7:37am

Thanks again _az

This gets A+

This is an excerpt from the recommended config. Do I need the SSLCACertificateFile?

 SSLCertificateFile                  /etc/letsencrypt/live/[dir]/fullchain.pem
 SSLCertificateKeyFile            /etc/letsencrypt/live/[dir]/privkey.pem

 # Uncomment the following directive when using client certificate authentication
 # SSLCACertificateFile          /path/to/ca_certs_for_client_authentication

_az · April 2, 2018, 9:57am

No you don’t, it’s for client certificates which is used for mutual authentication (if you needed it, you’d know it).

aavmurphy · April 3, 2018, 10:21pm

Thanks again!

_az’s solution is:

Use the config from https://mozilla.github.io/server-side-tls/ssl-config-generator/ with:

  SSLCertificateFile          /etc/letsencrypt/live/[dir]/fullchain.pem
  SSLCertificateKeyFile       /etc/letsencrypt/live/[dir]/privkey.pem

And don’t worry about the SSLCACertificateFile directive

system · May 3, 2018, 10:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.