Apache SSL

httpd(8) does not have built-in support for SSL/TLS encryption, but an official extension module is available.

Contents

  1. Apache SSL
    1. Configuration
      1. Hardening

Configuration

The minimal site configuration needed to use a certificate is: 

LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost *:443>
  ServerName www.example.com
  SSLEngine on
  SSLCertificateFile "/path/to/www.example.com.crt"
  SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

Hardening

The protocols and ciphers used by httpd(8) are handled by server configuration. The following lines are the modern recommendations. 

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Also include the below line to ensure that server configurations are enforced over client selection. 

SSLHonorCipherOrder on

Note that all is a shortcut and the meaning depends on the linked SSL library. As of OpenSSL version 1.0.1, it expands to +SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2. For older versions, it expands to +SSLv2 +SSLv3 +TLSv1.

CategoryRicottone

Apache/SSL (last edited 2023-01-09 03:31:38 by DominicRicottone)