|
⇤ ← Revision 1 as of 2022-09-23 16:29:59
Size: 1221
Comment:
|
Size: 1308
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 13: | Line 13: |
| The minimal configuration for `httpd(8)` to use SSL/TLS certificates is: | The minimal site configuration for `httpd(8)` to use SSL/TLS certificates is: |
| Line 31: | Line 31: |
| The following lines are the modern recommended configurations for secure SSL/TLS encryption. | The protocols and ciphers used by `httpd(8)` are handled by server configuration. The following lines are the modern recommended configurations for secure SSL/TLS encryption. |
Apache SSL
httpd(8) does not have built-in support for SSL/TLS encryption, but an official extension module is available.
Contents
Configuration
The minimal site configuration for httpd(8) to use SSL/TLS certificates is:
LoadModule ssl_module modules/mod_ssl.so Listen 443 <VirtualHost *:443> ServerName www.example.com SSLEngine on SSLCertificateFile "/path/to/www.example.com.crt" SSLCertificateKeyFile "/path/to/www.example.com.key" </VirtualHost>
Hardening
The protocols and ciphers used by httpd(8) are handled by server configuration. The following lines are the modern recommended configurations for secure SSL/TLS encryption.
SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
Also include the below line to ensure that server configurations are enforced over client selection.
SSLHonorCipherOrder on
Note that all is a shortcut and the meaning depends on the linked version of OpenSSL. As of version 1.0.1, it expands to +SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2. For older versions, it expands to +SSLv2 +SSLv3 +TLSv1.