Tech Blog

Configuring Apache2 SSL to use modern and secure encryption

AppRoad-Warriers of one of my customers who use Phones and Tabletts to access an SSL-secured Web-Shop built with Magento complained about diverse SSL-Errors.
So I went into investigation and decide to set up the SSL Cipher Suites, PFS Security and TLS from scratch...

To check my efforts and for quality assurance, I used SSL Checker from SSLLabs and checked against Mozilla Config Generatot

Common Problems found and fixed:

  • Upgrade Apache2 and Openssl on the webserver.
    • Root-CA and Intermediate Cert missingDownload your intermediate Certificates and Root-cert from your Trustcenter and install it:
SSLEngine On
SSLCertificateFile /etc/apache2/apache2.pem
SSLCACertificateFile /etc/apache2/root.ca
SSLCertificateKeyFile /etc/apache2/apache2.key
SSLCertificateChainFile /etc/apache2/intermediate.cert
  • Weak Diffie-Hellman Key for TLS regenerate new DH-Keys with and append the generated Text to your certificate  
    openssl dhparam -out /etc/ssl/dhparams.pem 2048

    append it to your Cert:

    cat /etc/ssl/dhparams.pem >> apache2.pem
    • and - of course - check and reload apache config:
    apache2ctl configtest ; apache2ctl graceful

     

    After applying all of these Steps, my customers Site reached Grade A on Qualis SSL Checker. The config snippet of the host config:

    SSLEngine On
    SSLCertificateFile /etc/apache2/apache2.pem
    SSLCACertificateFile /etc/apache2/root.ca
    SSLCertificateKeyFile /etc/apache2/apache2.key
    SSLCertificateChainFile /etc/apache2/intermediate.cert
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    # Only for Apache2 newer than 2.4.7
    # SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparams.pem"
    SSLHonorCipherOrder     on

     

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.

Ok