Perfect Forward Secrecy - Apache SSL/TLS Strong Encryption How-To

TL;DR: edit /etc/apache2/mods-enabled/ssl.conf and specify ciphers like this:

# enable only secure protocols:
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED -DES-CBC3-SHA -DES-CBC-SHA RSA !aNULL !eNULL !LOW -3DES !MD5 !EXP !PSK !SRP DSS !RC4 -EDH-RSA-DES-CBC-SHA -EDH-RSA-DES-CBC3-SHA -ADH-DES-CBC-SHA -ADH-DES-CBC3-SHA -DES-CBC-SHA AES128-SHA kRSA -DES-CBC3-SHA"
# new settings recommended for 2020/2021 and later ... SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
SSLCompression off SSLInsecureRenegotiation off

This config has been tested withhttps://www.ssllabs.com/ssltest/ and should give you an "A+" rating. 

 

Long version: Apache - SSL/TLS Strong Encryption How-To:
https://httpd.apache.org/docs/trunk/da/ssl/ssl_howto.html


Was this answer helpful?

 Print this Article

Also Read

Decrypting SSL traffic with tshark (private key required)

Sample: #!/bin/bash tshark -f "tcp port 80" -Y 'http.request || http.response' #OR (for...

Check SSL security, installation and configuration

Feel free to use the collection of SSL tools we are providing to check your SSL configuration and...

How can i verify my SSL certification?

Please use the tools from our SSL Tools site which offer you all kinds of SSL checker tools for...

Why SHA-1 based SSL certificates should NOT be used anymore. Revoke old SHA-1 based certificates and get free SHA-2 ones! Here is why ...

All SSL certificates delivered by us are SHA-2 based by default since November 2014. Multiple...

BSI legt Grundstein für Prüfungen gemäß IT-Sicherheitsgesetz

Betreiber kritischer Infrastruktur müssen sich zukünftig regelmäßig prüfen lassen und dabei...