Apache2 cipher selection

The tutorial explains how to configure the Apache2 cipher selection. It provides better security by defaulting to PFS and disallowing known insecure ciphers.
We start by editing the /etc/apache2/sites-available/002-ssl-www.rivy.org.conf from the previous post.

You can check the overal ssl/tls settings of your webserver on SSL Labs. SSL Labs is a free product from Qualys. Before applying the above configuration, the results of my webserver look like this.

SSL Labs results before cipher selection

In the <VirtualHost> section, add the following lines. Please note that I used the settings from the fine folks at bettercrypto.org

    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
# taken from https://bettercrypto.org
    SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
    EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\
    +SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\
    !ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

After saving the file and restarting Apache2, the results look more better. We’re all green. Note that this scan has been done on Jan 31, 2015. It’s always possible that newly discovered vulnerabilities in the selected ciphers influence the rating.

SSL Labs result after cipher selection

Leave a Reply

Your email address will not be published. Required fields are marked *