Add Ciphers and protocols in httpd.conf

Add listed Ciphers using SSLCipherSuite directive in Apache HTTPD inside SSL virtual host as below :
~~~~~~~
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
~~~~~~~
– SSL 3.0 and TLS 1.0 are susceptible to known attacks on the protocol; they are disabled entirely.
– Disabling TLS 1.1 is (as of August 2016) mostly optional; TLS 1.2 provides stronger encryption options, but 1.1 is not yet known to be broken. Disabling 1.1 may mitigate attacks against some broken TLS implementations.
==> In addition, you can use SSL server which accepts strong encryption only by adding following directives too
~~~~~~~
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
~~~~~~~ – Enabling SSLHonorCipherOrder ensures that the server’s cipher preferences are followed instead of the client’s.
– Disabling SSLCompression prevents TLS compression oracle attacks (e.g. CRIME).
– Disabling SSLSessionTickets ensures Perfect Forward Secrecy is not compromised if the server is not restarted regularly.

More details about the SSL directives can be found in ApacheModSSL

Add listed Ciphers using SSLCipherSuite directive in Apache HTTPD inside SSL virtual host as below :

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1<br>
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256<br>
  • SSL 3.0 and TLS 1.0 are susceptible to known attacks on the protocol; they are disabled entirely.
  • Disabling TLS 1.1 is (as of August 2016) mostly optional; TLS 1.2 provides stronger encryption options, but 1.1 is not yet known to be broken. Disabling 1.1 may mitigate attacks against some broken TLS implementations.

==> In addition, you can use SSL server which accepts strong encryption only by adding following directives too

SSLHonorCipherOrder on<br>
SSLCompression      off<br>
SSLSessionTickets   off<br>
  • Enabling SSLHonorCipherOrder ensures that the server’s cipher preferences are followed instead of the client’s.
  • Disabling SSLCompression prevents TLS compression oracle attacks (e.g. CRIME).
  • Disabling SSLSessionTickets ensures Perfect Forward Secrecy is not compromised if the server is not restarted regularly.



    More details about the SSL directives can be found in ApacheModSSL

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *