Securing Apache/mod_ssl with SSL/TLS on RHEL5

Updated -

Securing Apache (httpd-2.2.3), mod_ssl (mod_ssl-2.2.3) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/httpd/conf.d/ssl.conf

shortform

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite kDH:AES
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt

Protocols

    SSLProtocol all -SSLv2 -SSLv3

TLSv1 is the highest protocol available with openssl on RHEL5

Protocol - Alternative Values

SSLProtocol All -SSLv2

Allow really old/insecure clients Browser Compatibility

Ciphers

    SSLCipherSuite kDH:AES

Best cipher selection available

Ciphers - Alternative Values

SSLCipherSuite kDH:AES:RC4-SHA

Allow very old browsers

Certificate Handling

Apache expects separate PEM format files for key and certificate, and another for the CA chain.

Certificates with both SHA1 and SHA256 signatures are supported but SHA1 signatures should be actively avoided due to their being insecure.

Key File

SSLCertificateKeyFile /etc/pki/tls/private/httpd.key

key should be readable only by User as defined in the main configuration file

Certificate File

SSLCertificateFile /etc/pki/tls/certs/httpd.crt

the server certificate

Certificate Authority Chain

SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt

Intermediate and Root certificates for the SSLCertificateFile

Comments