Regardless of the configuration you choose to use, always make sure to mandate that your server application enforces server-side cipher order, so that the cipher suite to be used is determined by the order you configure.
220.127.116.11. Configuring the Apache HTTP Server
The Apache HTTP Server can use both OpenSSL and NSS libraries for its
TLS needs. Depending on your choice of the
TLS library, you need to install either the mod_ssl or the mod_nss module (provided by eponymous packages). For example, to install the package that provides the OpenSSL mod_ssl module, issue the following command as root:
yum install mod_ssl
The mod_ssl package installs the
/etc/httpd/conf.d/ssl.conf configuration file, which can be used to modify the
TLS-related settings of the Apache HTTP Server. Similarly, the mod_nss package installs the
/etc/httpd/conf.d/nss.conf configuration file.
When modifying the settings in the
/etc/httpd/conf.d/ssl.conf configuration file, be sure to consider the following three directives at the minimum:
Use this directive to specify the version of
SSL) you want to allow.
Use this directive to specify your preferred cipher suite or disable the ones you want to disallow.
Uncomment and set this directive to
on to ensure that the connecting clients adhere to the order of ciphers you specified.
SSLProtocol all -SSLv2 -SSLv3
To configure and use the mod_nss
module, modify the
configuration file. The mod_nss
module is derived from mod_ssl
, and as such it shares many features with it, not least the structure of the configuration file, and the directives that are available. Note that the mod_nss
directives have a prefix of
. See https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html
for an overview of information about mod_nss
, including a list of mod_ssl
configuration directives that are not applicable to mod_nss