This configuration is a bit of a moving target, and will likely change in future as security changes.
This is a fairly simple process. Configure all the steps and you will get an A+ rating with 100% score for Certificate, Protocol Support, Key Exchange & Cipher Strength.
This configuration is known to work on Ubuntu 16.04 LTS, but it should work on other setups providing you have the right software versions. Please note that the configuration of DH / ECDH requires at least Apache 2.4.8+ with OpenSSL 1.0.2+.
This set of instructions also assumes that you have a working SSL configuration with the proper CA signed certificate of 4096 bit RSA.
If you need more information on how to do that. Look at this article.
** Please backup your configuration before you make changes. Just in case **
Configure Secure Cipher Suites
Modify the “CipherSuites” parameter to disable all Cipher Suites that are not 256 bit or above.
Configure SSL / TLS Protocols
Also in /etc/apache2/mods-enabled/ssl.conf
Ensure that only TLS 1.2 is enabled. All modern web browsers support this, including Internet Explorer 11 on Windows 7+, Safari 7+, Firefox, Google Chrome. On Mobile, Android 4.4+ and IOS 6+
Configure DH / ECDH Parameters
This section is specific to Apache 2.4.8+ with OpenSSL 1.0.2+.
Generate 4096-bit Diffie-Hellman parameters. This could take anywhere from 10 minutes to several hours. It really depends on the speed of the computer it runs on.
openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Then add the following configuration to your Apache SSL configuration VirtualHost. By default this would be in /etc/apache2/sites-enabled/default-ssl.conf.
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
Next, add the configuration parameters for the Elliptic Curve Ciphers. By default, a 256-bit Curve is used, but this isn’t secure enough if you are going for the 100% rating on SSLLabs.com. These options raise the minimum to 384 bits.
SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp521r1:secp384r1
Enable OCSP Stapling
OCSP Stapling allows the web server to cache the Certificate Revocation Status of the Certificate. It takes the burden of checking away from the client. For more information check https://en.wikipedia.org/wiki/OCSP_stapling
Edit /etc/apache2/mods-enabled/ssl.conf. Add the below options.
SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Enable HTTP Strict Transport Security (HSTS)
Enable the Apache Headers Module
Add the following to your HTTPS Virtual Host directive in /etc/apache2/sites-enabled/default-ssl.conf.
# HTTP Strict Transport Security Header. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload"
This tells the client web browser that this site should only ever be accessed via HTTPS. The client web browser then caches that information for the time specified in max-age.
Other SSL / TLS Settings
Make sure the following other settings are set. These ensure that the Cipher Suites are presented in the best order rather than Apache guessing. Then ensure that compression is disabled.
The following configuration goes in /etc/apache2/mods-enabled/ssl.conf
#Turn of SSL Compression. Mitigates CRIME Information leakage attack SSLCompression off #Ensure Ciphers are used in order. SSLHonorCipherOrder on
Optional: Add Other Security Headers
Add the following additional headers to satisfy a few other issues that usual turn up in Pen Test Reports.
# Set a same origin policy Header always set X-Frame-Options SAMEORIGIN # Rewrite any session cookies to make them more secure # Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure #Prevent browsers doing MIME Type sniffing. Header always set X-Content-Type-Options nosniff
That is it. If you restart Apache and run an https://www.ssllabs.com Test, you should get full marks.