Apache

How to get an A+ Rating with 100% score on the SSLLabs Test with Apache

Introduction

This configuration is a bit of a moving target, and will likely change in future as security changes.

This is a fairly simple process. Configure all the steps and you will get an A+ rating with 100% score for Certificate, Protocol Support, Key Exchange & Cipher Strength.

This configuration is known to work on Ubuntu 16.04 LTS, but it should work on other setups providing you have the right software versions. Please note that the configuration of DH / ECDH requires at least Apache 2.4.8+ with OpenSSL 1.0.2+.

This set of instructions also assumes that you have a working SSL configuration with the proper CA signed certificate of 4096 bit RSA.

If you need more information on how to do that. Look at this article.

https://itigloo.com/security/generate-an-openssl-certificate-request-with-sha-256-signature/

** Please backup your configuration before you make changes. Just in case **

Configure Secure Cipher Suites

Edit /etc/apache2/mods-enabled/ssl.conf

Modify the “CipherSuites” parameter to disable all Cipher Suites that are not 256 bit or above.

SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"

Configure SSL / TLS Protocols

Also in /etc/apache2/mods-enabled/ssl.conf

Ensure that only TLS 1.2 is enabled. All modern web browsers support this, including Internet Explorer 11 on Windows 7+, Safari 7+, Firefox, Google Chrome. On Mobile, Android 4.4+ and IOS 6+

SSLProtocol TLSv1.2

Configure DH / ECDH Parameters

This section is specific to Apache 2.4.8+ with OpenSSL 1.0.2+.

Generate 4096-bit Diffie-Hellman parameters. This could take anywhere from 10 minutes to several hours. It really depends on the speed of the computer it runs on.

openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096

Then add the following configuration to your Apache SSL configuration VirtualHost. By default this would be in /etc/apache2/sites-enabled/default-ssl.conf.

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"

Next, add the configuration parameters for the Elliptic Curve Ciphers. By default, a 256-bit Curve is used, but this isn’t secure enough if you are going for the 100% rating on SSLLabs.com. These options raise the minimum to 384 bits.

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1

Enable OCSP Stapling

OCSP Stapling allows the web server to cache the Certificate Revocation Status of the Certificate. It takes the burden of checking away from the client. For more information check https://en.wikipedia.org/wiki/OCSP_stapling

Edit /etc/apache2/mods-enabled/ssl.conf. Add the below options.

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Enable HTTP Strict Transport Security (HSTS)

Enable the Apache Headers Module

a2enmod headers

Add the following to your HTTPS Virtual Host directive in /etc/apache2/sites-enabled/default-ssl.conf.

# HTTP Strict Transport Security Header.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload"

This tells the client web browser that this site should only ever be accessed via HTTPS. The client web browser then caches that information for the time specified in max-age.

Other SSL  / TLS Settings

Make sure the following other settings are set. These ensure that the Cipher Suites are presented in the best order rather than Apache guessing. Then ensure that compression is disabled.

The following configuration goes in /etc/apache2/mods-enabled/ssl.conf

#Turn of SSL Compression. Mitigates CRIME Information leakage attack
SSLCompression off

#Ensure Ciphers are used in order.
SSLHonorCipherOrder on

Optional: Add Other Security Headers

Add the following additional headers to satisfy a few other issues that usual turn up in Pen Test Reports.

Edit /etc/apache2/sites-enabled/default-ssl.conf

# Set a same origin policy
Header always set X-Frame-Options SAMEORIGIN

# Rewrite any session cookies to make them more secure 
# Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

#Prevent browsers doing MIME Type sniffing.
Header always set X-Content-Type-Options nosniff

 

That is it. If you restart Apache and run an https://www.ssllabs.com Test, you should get full marks.

Advertisements

Configuring HSTS & OCSP Stapling

There are a couple of new technologies that are becoming more widely used that you may what to think about using. I have written a couple of pages explaining what they are and how to use them. They are definitely worth a look if you are a web server administrator.

How to Configure OCSP Stapling on Apache HTTP Server

How to Configure HTTP Strict Transport Security on Apache & NGINX

Subversion Submitted to Become a Project at The Apache Software Foundation

Today I have discovered that the version control system, Subversion, has submitted a request to become one of the Apache Software Foundation’s  Top-Level Projects.

For further information you can read the press release for yourself.