1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Best SSL (Secure Sockets Layer) Configuration in Apache

Discussion in 'Security' started by Nagib Mahfuz Plabon, May 12, 2017.

  1. #1
    We all know about SSL or Secure Sockets Layer. In Web Hosting industry, it's very much important to have a SSL Certificate. It has become handy now-a-days with less issuing time in the Certification Authorities. Today, I'm writing about how to get best security in Apache Configuration.

    Most of the time, we use SSLLabs to analyze our SSL Certificate performance after installing a SSL Certificate in cPanel/WHM. But, it doesn't get A+ always which means you're not following standard configuration which can be vulnerable to your server as well as customers.

    So, to get highest Security, we need to:
    • Correct Certificate Chain
    • Correct Hostname
    • Strong Cipher Suites
    • Disabling SSLv2 & v3
    • Enabling HTTP Strict Transport Security (HSTS)
    • Enabling Forward Secrecy

    Correct Certificate Chain

    You need to install intermediate certificates provided from CA to remove warnings in some browsers i.e. Android Browsers. You can search for the intermediate certificates in your CA's Main Website. Root Certificate is not need to be installed as it's fetched from Store.

    Correct Hostname

    You need to set correct hostname & match it with issued SSL Domain to work perfectly. Mismatched hostname often shows warning.
    SEMrush
    Strong Cipher Suites

    You need to use Strong Cipher Suites. Cipher suites are mostly protocols to stimulate handshakes for encryption. For Apache, strong suites configuration is:

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    # Requires Apache >= 2.4
    SSLCompression off
    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
    # Requires Apache >= 2.4.11
    SSLSessionTickets Off

    You can find for other web servers here: https://cipherli.st/

    Disabling SSLv2 & v3

    If you have configured cipher suites, then SSL Protocol v2 & v3 has been already disabled. This is very important to prevent POODLE Attack.

    Enabling HTTP Strict Transport Security (HSTS)

    If you have configured your SSL Configuration from cipherli.st then, you have already enabled HSTS. But, it has some drawbacks. The website which has it enabled will load automatically with HTTPS regardless you want to browse the Non-HTTPS link. In one word, you're enforcing everyone to load secured website.

    Enabling Forward Secrecy

    Forward Secrecy is enabled in cipher suites. Among all the cipher suites available, there are small numbers of them which has forward secrecy enabled. Only ECDHE & DHE Keys have this enabled. So, better use these cipher suites in configuration.

    SSL Certificate has great impact on SEO, Visitor Trust & web shopping. Better try to find a reputable CA with dynamic Site Seal which will pour more trust in a SSL.
     
    Nagib Mahfuz Plabon, May 12, 2017 IP
    SEMrush
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,630
    Likes Received:
    724
    Best Answers:
    152
    Trophy Points:
    470
    #2
    Or, depending on the needs, you can just use an issuing entity like LetsEncrypt, and run that.
     
    PoPSiCLe, May 12, 2017 IP
  3. Nagib Mahfuz Plabon

    Nagib Mahfuz Plabon Member

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    31
    #3
    I have written about the server side entity. Even if you get Symantec EV SSL, you need to configure server side options. CA is not a factor here.
     
    Nagib Mahfuz Plabon, May 12, 2017 IP
  4. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,630
    Likes Received:
    724
    Best Answers:
    152
    Trophy Points:
    470
    #4
    Yes, you do, but using LetsEncrypt, most of this (apart from the domains) are done more or less for you. You answer a few setup-questions, and the rest is taken care of. I'm just saying that using SSL is getting quite a bit easier.
     
    PoPSiCLe, May 15, 2017 IP