Getting an “A+” on Qualys SSL Labs with Apache 2.2 on Debian

Notes for keeping Apache TLS secure on Debian Wheezy.

Apache and OpenSSL versions:

# apachectl -v
Server version: Apache/2.2.22 (Debian)
Server built:   Dec 23 2014 22:48:29
# dpkg -s apache2 | grep Version
Version: 2.2.22-13+deb7u4
# dpkg -s openssl | grep Version
Version: 1.0.1e-2+deb7u17

Excerpts from /etc/apache2/mods-available/ssl.conf:

# RSA 2048 bits SSL certificate
# (use a 4096 bits one and you may score 100 for key exchange) 
# signature algorithm SHA256withRSA
SSLCertificateFile      /etc/ssl/webserver/web.crt
SSLCertificateKeyFile   /etc/ssl/webserver/web.key
SSLCertificateChainFile /etc/ssl/webserver/web-ca.crt

SSLProtocol all -SSLv2 -SSLv3

# DES-CBC3-SHA for IE8/XP support
SSLCipherSuite EECDH+AES:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH:!EXP:!SRP:!DSS:!LOW;

SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1

# Guarantee HTTPS for 180 days including sub domains 
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

SSL Labs scan result: