I'm installing an Apache HTTP Server on my Windows XP machine. I need encryption because I'm going to be receiving and storing sensitive information - I'm not sure which protocol and ciphersuite I need to use. What should I consider when choosing which level of encryption to go with? My server will be hosting a site that I need anyone to be able to access, but they'll be submitting sensitive data through a form that will be stored in a MSSQL database. I'm going to buy an SSL cert, but what files will I need to configure? I know you edit the ciphersuite in httpd.conf, but do I need to mess with anything else?
With regards to configuration, you'll just need to make sure you have a virtual host listening on port 443, and the only options that should be *required* for installation are SSLEngine On, SSLCertificateFile and SSLCertificateKeyFile. You may need additional options for chained-root certificates, and all of these options should be included in the installation documentation from the vendor you purchase your SSL certificate from. Specifying your exact cipher suite (using SSLCipherSuite) different from the default shouldn't be a concern for you unless you want to require a certain set of options. The option is well-documented at: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite