Best practice Apache SSL configuration – Ciphers

Upon installation, the default Apache SSL configuration for SSL standards are not optimal and will achieve low scores when run through SSL implementation testing services such as Qualys’ SSL Labs.

The below configuration lines can be added to your Apache configuration to achieve a higher grade and improve the security of your SSL/HTTPS implementation using Apache and OpenSSL. As of February 2014 this configuration achieves an “A-” on the Qualys results when using RedHat/CentOS operating system and standard repo installations of Apache and OpenSSL. The main reason that the result is not better is due to the fact that RedHat currently has concerns over “possible patent issues”.

How to

In order to use the below configuration, simply add the below files to a new configuration file in the Apache configuration directly and then restart Apache. The assumes that you have already installed your SSL certificate in Apache and have the necessary libraries available for use.

vi /etc/http/conf.d/ssl_ciphers.conf

Once the new file has been created, add the below content and then save the file.

Update: The below is not going to be kept updated, so I recommend using CloudFlare’s configuration which is regularly updated.

SSLProtocol -ALL +TLSv1 
SSLHonorCipherOrder On 
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH

The last step to implement this is to restart Apache.

service httpd restart

Once the above is complete, you can verify the installation security using the previously reference Qualys’ SSL Labs tool.

[2014/11/20 – The above article has been updated to reflect the POODLE vulnerability]

Image credit: Adam Foster

Leave a Reply

Your email address will not be published.