I was testing one of my SSL enabled sites after securing apache HTTPD from POODLE, when I noticed the following warning:
The server does not support Forward Secrecy with the reference browsers
To ensure I was operating at the best security level possible for my little site, I added the following to the apache2.conf (/etc/apache2/)
SSLProtocol all -SSLv2 -SSLv3 < added this when securing against POODLE
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”
By the way, if you are running NGINX you can add the following:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”;
After I completed the changes above, I tested again and things looked much better and my score went up.
3 replies on “Configuring Apache for Forward Secrecy”
Thanks, Jermal, that worked!
Thanks, Jermal.
Thanks!