Categories
How-To Software Technical

Configuring Apache for Forward Secrecy

I was testing one of my SSL enabled sites after securing apache HTTPD from POODLE, when I noticed the following warning:

The server does not support Forward Secrecy with the reference browsers

To ensure I was operating at the best security level possible for my little site, I added the following to the apache2.conf (/etc/apache2/)

SSLProtocol all -SSLv2 -SSLv3  < added this when securing against POODLE
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”

By the way, if you are running NGINX you can add the following:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”;

After I completed the changes above, I tested again and things looked much better and my score went up.

3 replies on “Configuring Apache for Forward Secrecy”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.