Best SSL (Secure Sockets Layer) Configuration in Apache

We all know about SSL or Secure Sockets Layer. In Web Hosting industry, it's very much important to have a SSL Certificate. It has become handy now-a-days with less issuing time in the Certification Authorities. Today, I'm writing about how to get best security in Apache Configuration.

Most of the time, we use SSLLabs to analyze our SSL Certificate performance after installing a SSL Certificate in cPanel/WHM. But, it doesn't get A+ always which means you're not following standard configuration which can be vulnerable to your server as well as customers.

So, to get highest Security, we need to:

• Correct Certificate Chain
• Correct Hostname
• Strong Cipher Suites
• Disabling SSLv2 & v3
• Enabling HTTP Strict Transport Security (HSTS)
• Enabling Forward Secrecy

Correct Certificate Chain

You need to install intermediate certificates provided from CA to remove warnings in some browsers i.e. Android Browsers. You can search for the intermediate certificates in your CA's Main Website. Root Certificate is not need to be installed as it's fetched from Store.

Correct Hostname

You need to set correct hostname & match it with issued SSL Domain to work perfectly. Mismatched hostname often shows warning.

Strong Cipher Suites

You need to use Strong Cipher Suites. Cipher suites are mostly protocols to stimulate handshakes for encryption. For Apache, strong suites configuration is:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

You can find for other web servers here: https://cipherli.st/

Disabling SSLv2 & v3

If you have configured cipher suites, then SSL Protocol v2 & v3 has been already disabled. This is very important to prevent POODLE Attack.

Enabling HTTP Strict Transport Security (HSTS)

If you have configured your SSL Configuration from cipherli.st then, you have already enabled HSTS. But, it has some drawbacks. The website which has it enabled will load automatically with HTTPS regardless you want to browse the Non-HTTPS link. In one word, you're enforcing everyone to load secured website.

Enabling Forward Secrecy

Forward Secrecy is enabled in cipher suites. Among all the cipher suites available, there are small numbers of them which has forward secrecy enabled. Only ECDHE & DHE Keys have this enabled. So, better use these cipher suites in configuration.

SSL Certificate has great impact on SEO, Visitor Trust & web shopping. Better try to find a reputable CA with dynamic Site Seal which will pour more trust in a SSL.

 

Or, depending on the needs, you can just use an issuing entity like LetsEncrypt, and run that.

 

I have written about the server side entity. Even if you get Symantec EV SSL, you need to configure server side options. CA is not a factor here.

 

Yes, you do, but using LetsEncrypt, most of this (apart from the domains) are done more or less for you. You answer a few setup-questions, and the rest is taken care of. I'm just saying that using SSL is getting quite a bit easier.