Securing Apache/mod_ssl with SSL/TLS on RHEL7

Updated -

Securing Apache (httpd-2.4.6), mod_ssl (mod_ssl-2.4.6) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/httpd/conf.d/ssl.conf

shortform

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
SSLCertificateFile /etc/pki/tls/certs/httpd.dh.crt
SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt

Protocols

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Provides general compatibility.

Legacy level security

SSLProtocol All -SSLv2 -SSLv3

Enable TLSv1.0 for obsolete Browser Compatibility

Ciphers

    SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Reasonable selection of strong ciphers

Higher compatibility, reduced security ciphers

SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4+RSA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Include RC4+RSA for earlier IE compatibility.

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old browsers

Certificate Handling

Apache expects separate PEM format files for key and certificate, and another for the CA chain.

Key File

SSLCertificateKeyFile /etc/pki/tls/private/httpd.key

key should be readable only by User as defined in the main configuration file

Certificate File

SSLCertificateFile /etc/pki/tls/certs/httpd.dh.crt

Since the SSLCertificateFile can contain Diffie-Helman parameters to enable PFS it is necessary to maintain an additional pair of files.
The actual certificate should be placed in

/etc/pki/tls/certs/httpd.crt

Then the following should be run to create the combined file
This sequence should then be run periodically (weekly) to update the DH parameters, followed by a service reload.

openssl dhparam -out /etc/pki/tls/private/httpd.dh.param.tmp 2048
mv /etc/pki/tls/private/httpd.dh.param.tmp  /etc/pki/tls/private/httpd.dh.param
cat /etc/pki/tls/certs/httpd.crt /etc/pki/tls/private/httpd.dh.param >/etc/pki/tls/certs/httpd.dh.crt
systemctl reload httpd

Certificate Authority Chain

SSLCertificateChainFile /etc/pki/tls/certs/httpd-chain.crt

Intermediate and Root certificates for the SSLCertificateFile

Comments