Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Apache 2.4.18 + Letsencrypt + Ubuntu 18.04 - SSL config for A+ on SSLLabs.com

Prerequisites

  • Ubuntu 18.04 (16.04 works the same)
  • Apache 2.4.18 or higher
  • OpenSSL 1.0.2g-1ubuntu4.10 or higher
  • e.g. LetsEncrypt certificate
OS: Ubuntu 18.04 Apache/2.4.18 1.0.2g-1ubuntu4.10
SSL Labs: A+ RSA 2048 bits (SHA256withRSA)
Certificate: 100%
Protocol Support: 100%
Key Exchange: 90%
Cipher Strength: 90%

Header

Interesting is also --> https://mozilla.github.io/server-side-tls/ssl-config-generator/

Read how to enable HTTP2.0 afterwards --> https://gist.github.com/GAS85/990b46a3a9c2a16c0ece4e48ebce7300

Enable headers module:

sudo a2enmod headers
sudo service apache2 restart

In the SSL.CONF (usually under /etc/apache2/mods-available) file change following lines:

NOTE: TLSv1.3 is now supported in Apache2 version 2.4.36 with OpenSSL 1.1.1. Since using of it will avoid such clients as Windows 7 I enable both TLS 1.2. and 1.3.

SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"

# This TLSv1.2 only
SSLProtocol TLSv1.2
# To use TLSv1.2 and TLSv1.3 uncomment line below and comment one above. Please read note above.
#SSLProtocol +TLSv1.2 +TLSv1.3
SSLCompression off

#enable of OCSP stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
#if you want to add DHE (Diffie-Hellman key exchange) unkomment lines below AND RUN Command from "Optional" below
#SSLOpenSSLConfCmd Curves secp384r1
#SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

in default-ssl.conf

 ServerName YOUR.Server.com
 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/YOUR.Server.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/YOUR.Server.com/privkey.pem
 SSLCertificateChainFile /etc/letsencrypt/live/YOUR.Server.com/chain.pem
 #Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

Restart Apache

sudo service apache2 restart

Optionally

if you want to participate in Diffie-Hellman key exchange run and take a coffee:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

after that uncomment last 2 lines in SSL.conf and restart apache2

If you would like to enable Certificate Pinning, please read here about: https://gist.github.com/GAS85/a668b941f84c621a15ff581ae968e4cb


P.S. if you would like to reduce amount of ciphers to use to minimum of most secured, please use one of following:

  • valid for all, but a lot of weaks Ciphers screenshot:

    SSLCipherSuite HIGH:!aNULL
    
  • valid for all, still a lot of weak Ciphers screenshot:

    SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
    
  • still valid for all screenshot:

    SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384"
    
  • IE11/WinPhone 8.1 will not be able to connect as also Safari before 9 screenshot:

    SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384"
    
  • IE11 on all Windows devices, except Windows 10 will not be able to connect as also old Safari screenshot:

    SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384"
    
@moiseslodeiro

This comment has been minimized.

Copy link

@moiseslodeiro moiseslodeiro commented Feb 26, 2018

Thanks! 👍

@GAS85

This comment has been minimized.

Copy link
Owner Author

@GAS85 GAS85 commented Apr 4, 2018

You welcome!

@leolepi

This comment has been minimized.

Copy link

@leolepi leolepi commented Aug 8, 2018

Nice post, it helped a lot! thanks

@mxs42

This comment has been minimized.

Copy link

@mxs42 mxs42 commented Sep 8, 2018

Overall Rating
A+

Very good and helpful, thanks for that!

@adisubektie

This comment has been minimized.

Copy link

@adisubektie adisubektie commented Dec 2, 2019

thanks

@ZetiX

This comment has been minimized.

Copy link

@ZetiX ZetiX commented Mar 7, 2020

If anyone's using NextCloudPi like I am and looking to disable TLS 1.0 and 1.1, the config file you should edit is in /etc/apache2/conf-available/http2.conf under #SSL/TLS Configuration

@Mites88

This comment has been minimized.

Copy link

@Mites88 Mites88 commented Jun 24, 2020

Works well on CentOS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment