Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Apache 2.4.18+ with Letsencrypt on Ubuntu 20.04 - SSL config for A+ on SSLLabs.com

Prerequisites

  • Ubuntu 20.04 (18.04, 16.04 works the same)
  • Apache 2.4.18 or higher
  • OpenSSL 1.0.2g-1ubuntu4.10 or higher
  • e.g. LetsEncrypt certificate
OS: Ubuntu 20.04 Apache/2.4.18 1.0.2g-1ubuntu4.10 +
SSL Labs: A+ RSA 2048 bits (SHA256withRSA)
Certificate: 100%
Protocol Support: 100%
Key Exchange: 90%
Cipher Strength: 90%

Header

Interesting is also --> https://mozilla.github.io/server-side-tls/ssl-config-generator/

Read how to enable HTTP2.0 afterwards --> https://gist.github.com/GAS85/990b46a3a9c2a16c0ece4e48ebce7300

Enable headers module and restart Apache2:

sudo a2enmod headers
sudo apachectl configtest && sudo service apache2 restart

In the SSL.CONF (usually under /etc/apache2/mods-available) file change following lines:

NOTE: TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1. Since using of it will avoid such clients as Windows 7 I enable both TLS 1.2. and 1.3.

SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384"

# This TLSv1.3 only
SSLProtocol TLSv1.3
# To use TLSv1.2 and TLSv1.3 uncomment line below and comment one above. Please read note above.
#SSLProtocol +TLSv1.2 +TLSv1.3
SSLCompression off

# Enable of OCSP stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
# If you want to add DHE (Diffie-Hellman key exchange) unkomment lines below AND RUN Command from "Optional" below
#SSLOpenSSLConfCmd Curves secp384r1
#SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

In default-ssl.conf (usually under /etc/apache2/conf-available/).

You have to provide path to your Certifcate, Pricate Key and optionally to Certificate full chain. You also need to enable SSLEngine and set some basic secirity headers.

  ServerName YOUR.Server.com
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/YOUR.Server.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/YOUR.Server.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/YOUR.Server.com/chain.pem
  #Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

Restart Apache

sudo apachectl configtest && sudo service apache2 restart

Optionally

if you want to participate in Diffie-Hellman key exchange run and take a coffee:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

after that uncomment last 2 lines in SSL.conf and restart apache2

If you would like to enable Certificate Pinning, please read here about: https://gist.github.com/GAS85/a668b941f84c621a15ff581ae968e4cb


P.S. if you would like to reduce amount of ciphers to use to minimum of most secured, please use one of following:

  • valid for all, but a lot of weaks Ciphers screenshot:

    SSLCipherSuite HIGH:!aNULL
    
  • valid for all, still a lot of weak Ciphers screenshot:

    SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
    
  • still valid for all (being used in example above) screenshot:

    SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384"
    
  • IE11/WinPhone 8.1 will not be able to connect as also Safari before 9 screenshot:

    SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384"
    
  • IE11 on all Windows devices, except Windows 10 will not be able to connect as also old Safari screenshot:

    SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384"
    
@moiseslodeiro
Copy link

moiseslodeiro commented Feb 26, 2018

Thanks! 👍

@GAS85
Copy link
Author

GAS85 commented Apr 4, 2018

You welcome!

@leolepi
Copy link

leolepi commented Aug 8, 2018

Nice post, it helped a lot! thanks

@mxs42
Copy link

mxs42 commented Sep 8, 2018

Overall Rating
A+

Very good and helpful, thanks for that!

@adisubektie
Copy link

adisubektie commented Dec 2, 2019

thanks

@ZetiX
Copy link

ZetiX commented Mar 7, 2020

If anyone's using NextCloudPi like I am and looking to disable TLS 1.0 and 1.1, the config file you should edit is in /etc/apache2/conf-available/http2.conf under #SSL/TLS Configuration

@Mites88
Copy link

Mites88 commented Jun 24, 2020

Works well on CentOS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment