Notes for keeping Apache TLS secure on Debian Wheezy.
Apache and OpenSSL versions:
# apachectl -v Server version: Apache/2.2.22 (Debian) Server built: Dec 23 2014 22:48:29
# dpkg -s apache2 | grep Version Version: 2.2.22-13+deb7u4
# dpkg -s openssl | grep Version Version: 1.0.1e-2+deb7u17
Excerpts from /etc/apache2/mods-available/ssl.conf
:
# RSA 2048 bits SSL certificate # (use a 4096 bits one and you may score 100 for key exchange) # signature algorithm SHA256withRSA SSLCertificateFile /etc/ssl/webserver/web.crt SSLCertificateKeyFile /etc/ssl/webserver/web.key SSLCertificateChainFile /etc/ssl/webserver/web-ca.crt SSLProtocol all -SSLv2 -SSLv3 # DES-CBC3-SHA for IE8/XP support SSLCipherSuite EECDH+AES:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH:!EXP:!SRP:!DSS:!LOW; SSLHonorCipherOrder on SSLVerifyClient none SSLVerifyDepth 1 # Guarantee HTTPS for 180 days including sub domains Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
SSL Labs scan result: