Perfect Forward Secrecy - Apache SSL/TLS Strong Encryption How-To

TL;DR: edit /etc/apache2/mods-enabled/ssl.conf and specify ciphers like this:

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLHonorCipherOrder On
SSLCipherSuite     "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED -DES-CBC3-SHA -DES-CBC-SHA RSA !aNULL !eNULL !LOW -3DES !MD5 !EXP !PSK !SRP DSS !RC4 -EDH-RSA-DES-CBC-SHA -EDH-RSA-DES-CBC3-SHA -ADH-DES-CBC-SHA -ADH-DES-CBC3-SHA -DES-CBC-SHA AES128-SHA kRSA -DES-CBC3-SHA" SSLProtocol -ALL -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 SSLCompression off SSLInsecureRenegotiation off

This config has been tested withhttps://www.ssllabs.com/ssltest/ and should give you an "A+" rating. 

 

Long version: Apache - SSL/TLS Strong Encryption How-To:
https://httpd.apache.org/docs/trunk/da/ssl/ssl_howto.html

Was this answer helpful?

 Print this Article

Also Read

Decrypting SSL traffic with tshark (private key required)

Sample: #!/bin/bash tshark -f "tcp port 80" -Y 'http.request || http.response' #OR (for...

PCI Compliance (Payment Card Industry Compliance

PCI stands for Payment Card Industry, data security standard and is defined by the PCI Security...

PDF Dokumente mit Adobe Acrobat signieren (SMIME, S/MIME)

Um in Adobe Acrobat eine Signatur zu platzieren, klicken Sie auf Anzeige -> Werkzeuge ->...

Why SHA-1 based SSL certificates should NOT be used anymore. Revoke old SHA-1 based certificates and get free SHA-2 ones! Here is why ...

All SSL certificates delivered by us are SHA-2 based by default since November 2014. Multiple...

How can i verify my SSL certification?

Please use the tools from our SSL Tools site which offer you all kinds of SSL checker tools for...