Gehe zu deutscher Webseite

ViaThinkSoft CodeLib

This article is in:
CodeLibHow-TosApache

CodeLib Apache: Safe SSLCipherSuites for Apache / Enable Forward Secrecy in Apache
You can check your server for common problems with SSL/TLS: https://www.ssllabs.com/ssltest/

Following Cipher-Suites are recommended by ViaThinkSoft in 27 April 2019:

Create /etc/apache2/mods-enabled/vts_ssl.conf with following contents:

<IfModule mod_ssl.c>
        # Config taken from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.1.0j&hsts=yes&profile=modern
        # on 27 April 2019
        #
        # -----------------------------------------------------------------
        #
        # Following changes were made:
        #
        # (1) Removed 2 ciphers because they are marked as weak in ssllabs.com ( https://www.ssllabs.com/ssltest/analyze.html?d=viathinksoft.de&s=37.48.104.196 )
        #
        #     Suite according to SSLLabs                Apache name according to https://wiki.mozilla.org/Security/Server_Side_TLS
        #     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384
        #     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256
        #
        #     So, the following strings have been removed from SSLCipherSuite:
        #     :ECDHE-RSA-AES256-SHA384
        #     :ECDHE-RSA-AES128-SHA256
        #
        #     However, this destroyed compatibility with IE11/Win7!
        #
        # (2) Added 2 ciphers which were green in ssllabs.com using the default Apache config (if SSLCipherSuite is commented out)
        #     but for some reason they are marked as yellow at Mozilla ( https://wiki.mozilla.org/Security/Server_Side_TLS ) and
        #     and therefore were not added in the "modern" recommendation.
        #
        #     Suite according to SSLLabs                Apache name according to https://wiki.mozilla.org/Security/Server_Side_TLS
        #     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384
        #     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256
        #
        #     So we add to SSLCipherSuite:
        #     :DHE-RSA-AES256-GCM-SHA384
        #     :DHE-RSA-AES128-GCM-SHA256
        #
        #     This gave us back IE11/Win7 compatibility!

        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

        # Mozilla "modern" recommendation 27 Apr 2019:
        # SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        # Modified (see above):
        SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256

        SSLHonorCipherOrder     on
        SSLCompression          off
        SSLSessionTickets       off

        # OCSP Stapling, only in httpd 2.3.3 and later
        SSLUseStapling          on
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors off
        SSLStaplingCache        shmcb:/var/run/ocsp(128000)

        # Added by ViaThinkSoft
        # created using openssl dhparam -out /etc/apache2/dhparams.pem 4096

        SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparams.pem"
</IfModule>
Daniel Marschall
ViaThinkSoft Co-Founder
Autor: Daniel Marschall
Datum: 4 November 2017; Revision: 27 April 2019
Gelesen: 18,141 Mal