Securing Apache/mod_ssl with SSL/TLS on RHEL7
Securing Apache (httpd-2.4.6), mod_ssl (mod_ssl-2.4.6) that uses openssl
This article is part of the Securing Applications Collection
Configuration File
/etc/httpd/conf.d/ssl.conf
shortform
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
SSLCertificateFile /etc/pki/tls/certs/httpd.dh.crt
SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt
Protocols
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Provides general compatibility.
Legacy level security
SSLProtocol All -SSLv2 -SSLv3
Enable TLSv1.0 for obsolete Browser Compatibility
Ciphers
SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
Reasonable selection of strong ciphers
Higher compatibility, reduced security ciphers
SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4+RSA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
Include RC4+RSA for earlier IE compatibility.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
Allow very old browsers
Certificate Handling
Apache expects separate PEM format files for key and certificate, and another for the CA chain.
Key File
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
key should be readable only by User as defined in the main configuration file
Certificate File
SSLCertificateFile /etc/pki/tls/certs/httpd.dh.crt
Since the SSLCertificateFile can contain Diffie-Helman parameters to enable PFS it is necessary to maintain an additional pair of files.
The actual certificate should be placed in/etc/pki/tls/certs/httpd.crt
Then the following should be run to create the combined file
This sequence should then be run periodically (weekly) to update the DH parameters, followed by a service reload.openssl dhparam -out /etc/pki/tls/private/httpd.dh.param.tmp 2048 mv /etc/pki/tls/private/httpd.dh.param.tmp /etc/pki/tls/private/httpd.dh.param cat /etc/pki/tls/certs/httpd.crt /etc/pki/tls/private/httpd.dh.param >/etc/pki/tls/certs/httpd.dh.crt systemctl reload httpd
Certificate Authority Chain
SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt
Intermediate and Root certificates for the SSLCertificateFile
Comments