Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Apache 2.4 SSL config for A+ on SSLLabs.com
OS: Ubuntu 14.04 LTS, Apache 2.4.7, OpenSSL 1.0.1f
SSL Labs: A+ (RSA2048, SHA256 certificate)
Certificate: 100%
Protocol Support: 95%
Key Exchange: 90%
Cipher Strength: 90%
#### In the SSL.CONF file
SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
SSLStrictSNIVHostCheck Off
SSLCompression off
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
### In the <virtualhost> section of file default-ssl.conf
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
### headers_module must be enabled for these extra security settings
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set Public-Key-Pins "pin-sha256=\"<Subject Public Key Information (SPKI)>\"; max-age=2592000; includeSubDomains"
Header always set X-Frame-Options SAMEORIGIN
@ibrahim87

This comment has been minimized.

Copy link

commented Mar 2, 2016

very good

@angshumancn

This comment has been minimized.

Copy link

commented Jul 5, 2016

Does the above keyword support Apache/2.2.22 ?

@DarkLogicX

This comment has been minimized.

Copy link

commented Jul 28, 2016

Where is the "Default-SSL.conf" file?

Also when I put "SSLStaplingCache shmcb:/tmp/stapling_cache(128000)" in the SSL.conf file (the one in Httpd/conf.d/) httpd wouldn't start.

@cofifield

This comment has been minimized.

Copy link

commented Aug 29, 2016

Great Info

@zachariahtimothy

This comment has been minimized.

Copy link

commented Aug 28, 2017

Just used this, thanks for sharing! I omitted the public key pins and still received A+.

@cristiroma

This comment has been minimized.

Copy link

commented May 15, 2018

I'm not entirely sure below is correct, but using suggested config SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 - triggers https://www.whynopadlock.com/ to show warning that TLSv1 is enabled - which is not good. We are using SSLProtocol TLSv1.2 which is the current standard with upcoming TLSv1.3.

@RavSS

This comment has been minimized.

Copy link

commented Jun 30, 2018

I would avoid configuring HPKP which is the Header set Public-Key-Pins... line, it's depreciated and can cause serious downtime if you fail to use it correctly, like if you don't have backup certificates. E.g. Chrome 67 (and Google altogether) recently dropped support for it, and the end user has to enable it manually via Chrome flags. TLSv1 still might be required if you need to support older browsers and devices like IE10 and Android 4.3 or below versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.