Securing Apache/mod_ssl with SSL/TLS on RHEL6

Updated -

Securing Apache (httpd-2.2.15), mod_ssl (mod_ssl-2.2.15) that uses openssl

This article is part of the Securing Applications Collection

Version Warning

Due to various security issues, particularly LOGJAM httpd/mod_ssl should always be at least version 2.2.15-39.el6 as this allows for use of DH parameters in the certificate file.

Configuration File

   /etc/httpd/conf.d/ssl.conf

shortform

SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
SSLCertificateFile /etc/pki/tls/certs/httpd.dh.crt
SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt

Protocols

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Protocol - Alternative Values

SSLProtocol All -SSLv2 -SSLv3

Enable TLSv1.0 for obsolete Browser Compatibility

Ciphers

    SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

Reasonable selection of strong ciphers

Ciphers - Alternative Values

SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:RC4+RSA:!DES:!EXP:!SEED:!IDEA:!3DES

Include RC4-RSA for earlier IE compatibility.

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old browsers

Certificate Handling

Apache expects separate PEM format files for key and certificate, and another for the CA chain.

Key File

SSLCertificateKeyFile /etc/pki/tls/private/httpd.key

key should be readable only by User as defined in the main configuration file

Certificate File

SSLCertificateFile /etc/pki/tls/certs/httpd.dh.crt

Since the SSLCertificateFile can contain Diffie-Helman parameters to enable PFS it is necessary to maintain an additional pair of files.
The actual certificate should be placed in

/etc/pki/tls/certs/httpd.crt

Then the following should be run to create the combined file
This sequence should then be run periodically (weekly) to update the DH parameters, followed by a service reload.

openssl dhparam -out /etc/pki/tls/private/httpd.dh.param.tmp 2048
mv /etc/pki/tls/private/httpd.dh.param.tmp  /etc/pki/tls/private/httpd.dh.param
cat /etc/pki/tls/certs/httpd.crt /etc/pki/tls/private/httpd.dh.param >/etc/pki/tls/certs/httpd.dh.crt
service httpd graceful

Certificate Authority Chain

SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt

Intermediate and Root certificates for the SSLCertificateFile

Comments