httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Mehler <>
Subject Re: [users@httpd] Enabling Forward secrecy on SSL
Date Fri, 17 Mar 2017 19:12:55 GMT

Try this configuration. If anyone can take a look at this setup if
I've missed something or need to get a protocol adjustment let me
know. I get an A+ on ssllabs.


SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512

# OCSP Stapling settings
SSLUseStapling On
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLStaplingResponderTimeout 15
SSLStaplingReturnResponderErrors off
SSLStaplingStandardCacheTimeout 3600

# For modern configuration
SSLProtocol all -SSLv2 -SSLv3
        # Enable PFS
SSLHonorCipherOrder on
SSLCompression Off
SSLSessionTickets Off
# Strong dh parameters file
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"

# For temporary legacy intermediate clients
#SSLProtocol             all -SSLv2 -SSLv3
#SSLHonorCipherOrder     on
#SSLCompression          off
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache24/sslvhost"
ErrorLog "/var/log/http-ssl-error.log"
TransferLog "/var/log/httpd-ssl-access.log"
SSLEngine on

# harden with http strict transport security
# Add 6 month HSTS header for all users
#Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
    Header always set Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload"

# Avoid click jacking
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
	<Directory /usr/local/www/apache24/sslvhost>
Require all granted
Options FollowSymLinks
AllowOverRide none
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
CustomLog "/var/log/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

On 3/17/17, Chunduru, Krishnachaithanya
<> wrote:
> Hi All,
> Can someone advise me on how to achieve the below on a server running with
> Apache SSL enabled.
> *         SSL - Supports Weak Encryption  The following protocols should be
> switched on - TLS 1.2, TLS 1.1, TLS 1.0. SSL 3 and SSL 2 should be
> disabled.
> *         Weak Configuration - SSL/TLS - Deprecated Protocol: Disable the
> use of SSL 2.0 and 3.0 as well as TLS 1.0. Use TLS 1.1, 1.2, or later and
> set the latest protocol as preferred.
> *         The Server Does Not Support Forward Secrecy :
> Regards,
> Krishna
> This message and any attachments are intended only for the use of the
> addressee and may contain information that is privileged and confidential.
> If the reader of the message is not the intended recipient or an authorized
> representative of the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by e-mail
> and delete the message and any attachments from your system.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message