You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Chunduru, Krishnachaithanya" <Kr...@broadridge.com> on 2017/03/17 14:36:35 UTC

[users@httpd] Enabling Forward secrecy on SSL

Hi All,

Can someone advise me on how to achieve the below on a server running with Apache SSL enabled.


*         SSL - Supports Weak Encryption  The following protocols should be switched on - TLS 1.2, TLS 1.1, TLS 1.0. SSL 3 and SSL 2 should be disabled.

*         Weak Configuration - SSL/TLS - Deprecated Protocol: Disable the use of SSL 2.0 and 3.0 as well as TLS 1.0. Use TLS 1.1, 1.2, or later and set the latest protocol as preferred.

*         The Server Does Not Support Forward Secrecy :

Regards,
Krishna


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

Re: [users@httpd] Enabling Forward secrecy on SSL

Posted by David Mehler <da...@gmail.com>.

Hello,

Try this configuration. If anyone can take a look at this setup if
I've missed something or need to get a protocol adjustment let me
know. I get an A+ on ssllabs.

Hth
Dave.

httpd-ssl.conf:
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512

# OCSP Stapling settings
SSLUseStapling On
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLStaplingResponderTimeout 15
SSLStaplingReturnResponderErrors off
SSLStaplingStandardCacheTimeout 3600

# For modern configuration
SSLProtocol all -SSLv2 -SSLv3
        # Enable PFS
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression Off
SSLSessionTickets Off
# Strong dh parameters file
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"

# For temporary legacy intermediate clients
#SSLProtocol             all -SSLv2 -SSLv3
#SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#SSLHonorCipherOrder     on
#SSLCompression          off
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache24/sslvhost"
ServerName www.example.com:443
ServerAdmin webmaster@example.com
ErrorLog "/var/log/http-ssl-error.log"
TransferLog "/var/log/httpd-ssl-access.log"
SSLEngine on
SSLCertificateFile
"/usr/local/etc/letsencrypt/live/webmail.example.com/fullchain.pem"
SSLCertificateKeyFile
"/usr/local/etc/letsencrypt/live/webmail.example.com/privkey.pem"

# harden with http strict transport security
# Add 6 month HSTS header for all users
#Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
    Header always set Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload"

# Avoid click jacking
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
	<Directory /usr/local/www/apache24/sslvhost>
Require all granted
Options FollowSymLinks
AllowOverRide none
	</Directory>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
CustomLog "/var/log/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


On 3/17/17, Chunduru, Krishnachaithanya
<Kr...@broadridge.com> wrote:
> Hi All,
>
> Can someone advise me on how to achieve the below on a server running with
> Apache SSL enabled.
>
>
> *         SSL - Supports Weak Encryption  The following protocols should be
> switched on - TLS 1.2, TLS 1.1, TLS 1.0. SSL 3 and SSL 2 should be
> disabled.
>
> *         Weak Configuration - SSL/TLS - Deprecated Protocol: Disable the
> use of SSL 2.0 and 3.0 as well as TLS 1.0. Use TLS 1.1, 1.2, or later and
> set the latest protocol as preferred.
>
> *         The Server Does Not Support Forward Secrecy :
>
> Regards,
> Krishna
>
>
> This message and any attachments are intended only for the use of the
> addressee and may contain information that is privileged and confidential.
> If the reader of the message is not the intended recipient or an authorized
> representative of the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by e-mail
> and delete the message and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RE: Enabling Forward secrecy on SSL

Posted by Daniel <df...@gmail.com>.

2017-03-30 14:07 GMT+02:00 Abernathy, Don <DA...@mfs.com>:

> Most common way we did this was in the Virtual host directive for the SSL
> side of the site, was to declare what is and is not allowed.
>
> Plenty of docs on this out there but here is ours:
>
>
>

This is IBM HTTP Server not Apache HTTPD!


>
>
> SSLEnable
>
> SSLProtocolDisable SSLv2 SSLv3
>
> SSLCipherSpec ALL NONE
>
> SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>
> SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>
> SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>
> SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>
> SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
>
> SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
>
> SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
>
> SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
>
> SSLClientAuth 0
>
>
>
> *Don Abernathy *
>
> *Group Manager- Web Services*
>
> *T:* 617-954-4127 <(617)%20954-4127>
> MFS Investment Management
> 111 Huntington Ave, Boston, MA 02199
>
>
>


-- 
*Daniel Ferradal*
IT Specialist

email         dferradal at gmail.com
linkedin     es.linkedin.com/in/danielferradal

[users@httpd] RE: Enabling Forward secrecy on SSL

Posted by "Abernathy, Don" <DA...@MFS.com>.

Most common way we did this was in the Virtual host directive for the SSL side of the site, was to declare what is and is not allowed.
Plenty of docs on this out there but here is ours:


SSLEnable
SSLProtocolDisable SSLv2 SSLv3
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
SSLClientAuth 0

[cid:image003.jpg@01D2A92C.A6E3D550]

Don Abernathy
Group Manager- Web Services
T: 617-954-4127
MFS Investment Management
111 Huntington Ave, Boston, MA 02199



From: Chunduru, Krishnachaithanya [mailto:Krishnachaithanya.Chunduru@broadridge.com]
Sent: Friday, March 17, 2017 10:37 AM
To: users@httpd.apache.org
Subject: [users@httpd] Enabling Forward secrecy on SSL

Hi All,

Can someone advise me on how to achieve the below on a server running with Apache SSL enabled.


*         SSL - Supports Weak Encryption  The following protocols should be switched on - TLS 1.2, TLS 1.1, TLS 1.0. SSL 3 and SSL 2 should be disabled.

*         Weak Configuration - SSL/TLS - Deprecated Protocol: Disable the use of SSL 2.0 and 3.0 as well as TLS 1.0. Use TLS 1.1, 1.2, or later and set the latest protocol as preferred.

*         The Server Does Not Support Forward Secrecy :

Regards,
Krishna


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

MFS Email system made the following annotation
---------------------------------------------------------------------------------------------------------------------------------------
This email communication and any attachments may contain proprietary, confidential, or privileged information. If you are not the intended recipient, you are hereby notified that you have received this email in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. The sender does not waive confidentiality or any privilege by mistransmission. If you have received this email in error, please notify the sender immediately, delete this email, and destroy all copies and any attachments.