Apache SSL/TLS Security Settings

From IVS Wiki
Jump to: navigation, search
  1. Connect to the server via ssh or access the shell via the console.
  2. Type in the following, and then press Enter: 
    sudo nano /etc/apache2/sites-enabled/default-ssl.conf
  3. Locate the line in the file 
    SSLProtocol ALL -SSLv2
  4. Comment out this line by placing a # at the beginning of the line.
  5. Add the following lines below the line that you just commented out:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  1. Type CTRL-X and then press Enter to exit.
  2. Enter Y to save changes.
  3. Do not change the name and press Enter to save the changes.
  4. Type in the following, and then press Enter: 
    sudo nano /etc/apache2/apache2.conf
  5. Scroll to the bottom of the file.
  6. Add the following lines:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  1. Type CTRL-X and then press Enter to exit.
  2. Enter Y to save changes.
  3. Do not change the name, and press Enter to save the changes.
  4. Type in the following, and then press Enter: 
    sudo service apache2 restart

You can verify the active ciphers by running the following command: 

nmap -sV --script ssl-enum-ciphers -p 443 <host>
Retrieved from "https://ipivs.info/wiki/index.php?title=Apache_SSL/TLS_Security_Settings&oldid=4165"