The Gig of Ham

One geek's contributions to the series of tubes

Dec 16, 2014 - 3 minute read - Internet linux sysadmin

SSL Labs A+ Certification for Apache 2.4

After gaining some insight from Seth Vargo’s excellent post on doing the same things with nginx, I decided to tweak my Apache 2.4 config to get the same results:

At first, I got everything but the TLS_FALLBACK_SCSV support. I did some digging and discovered that I had missed and OpenSSL update. Applying that and then restarting apache did the trick. Here are the relevant security announcements with the required versions of OpenSSL for ubuntu, debian, and RHEL/CentOS. The server I configured is running Ubuntu 14.04 LTS.

As Seth mentions, you will need an SSL certificate. I get mine for free from StartSSL. No really, they are free and they are recognized by all modern browsers and phones. They even sign all their certs using SHA256 and provide a full SHA256 chain (if you know where to look). This is important if any of your users are using Chrome or Chromium. (UPDATE: Mozilla Firefox too.) You can pay for some upgrades, like organizational verification (which I do), for an annual fee and then you can still get as many certificates as you like. Same model for their EV certs as well, just be aware that you may need to stack other certification levels on your account before adding EV support. Still, once you pay those fees: all your certificates are EV. Kind of a sweet deal, I just wish they had an API.

Now, on to apache. The configuration is a bit more complex than nginx, I break it into two parts: one per site (which I break out to a file and include in all my sites for easier maintenance), and one for the mod_ssl module itself. Let’s start with the mod_ssl config (which must be defined OUTSIDE a VirtualHost block):

The first few lines are self explanatory, the last one needs some discussion. The OCSP stapling cache can be configured many ways, in this case I decided on a shared memory cyclic buffer with a reasonable size. There are other options defined in the docs, but this one is reasonably performant and doesn’t have a major cost or configuration impact.

Now comes the fun part, which is the per site configuration. Apache 2.4 supports Server Name Indication (or SNI), so you can run multiple SSL sites on a single IP address. This is also supported by most modern browsers and phones (the Wikipedia article linked as a very through list). Because I run multiple sites on a single IP, I didn’t want to keep the same huge block of configuration information in each site, so I break out the common bits to a file like this:

I’ve tried to be explicit as possible with comments from the Apache documentation as well as the other sources I’ve pulled from. The Mozilla reference is to their Server Side TLS settings recommendations. In order to get 100% on the SSL Labs test, you need to disable everything but the 256bit AES DHE and ECDHE ciphers. This is a explicit breakout of the ciphers referenced in Seth’s configuration. With this all in a single file, configuring a virtual host is pretty simple:

Yeah, I like verbose apache configs. The relevant lines are highlighted. You basically pull in the config defined above, and then define the SSL certificate and key on a per site basis. Could I have added the CA and chain files to the global config? Yes, but then I would only be able to support a single CA. This is still a tiny amount of configuration information compared to the whole mess in the previous section and provides some flexibility. That’s pretty much it, now go secure everything.