Secure SSL/TLS settings for Apache 2.4

1.  
2. # Tested with Apache 2.4 and OpenSSL 1.0.1e
3. #
4.  
5.  
6. # Useful references
7. #   http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
8. #   https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
9. #   https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
10. #   https://www.ssllabs.com/ssltest/
11. #   https://cc.dcsec.uni-hannover.de
12. #   https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites
13. #   http://crypto.stackexchange.com/questions/10493/why-is-tls-susceptible-to-protocol-downgrade-attacks
14.  
15. # The following end-clients are supported (older versions are NOT; newer versions probably are):
16. #   Microsoft Internet Explorer 11
17. #   Google Chrome 30
18. #   Google Chrome 31
19. #   Google Chrome 32
20. #   Google Chrome 33
21. #   Mozilla Firefox 27
22. #   Opera 17
23. #   Android 4.2.2
24. #   Java 1.8 (Java 7 defaults to using TLSv1, with TLSv1.2 optional if code enabled; Java 8 defaults to v1.2)
25. #   iOS 5.0
26. #   F5 BigIP load balancer 11.4.1
27. #   Safari 7 on Mac OS X 10.9
28. # The following obsolete end-clients are supported, but don't support the strongest security options (i.e. TLSv1.2)
29. #   Microsoft Internet Explorer 8
30. #   Microsoft Internet Explorer 9
31. #   Microsoft Internet Explorer 10
32. #   Mozilla Firefox 26
33. #   Java 1.7
34. #   Java 1.6
35. #   Android 2.3
36. #   Android 3.x
37. #   Android 4.0
38. #   Android 4.1
39. #   Safari 6 on Mac OS X 10.8
40.  
41.  
42. #-------------------------------------------------------------------------------
43. # Disable insecure client-initiated renegotiation (usually default but make sure)
44. SSLInsecureRenegotiation off
45.  
46.  
47. #-------------------------------------------------------------------------------
48. # Prevent the CRIME attack
49. SSLCompression off
50.  
51.  
52. #-------------------------------------------------------------------------------
53. # Reference documents for TLS version support
54. #   http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
55. #   http://op-co.de/blog/posts/android_ssl_downgrade/
56. #   http://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Protocol_support
57. # TLSv1.2 is supported by (configuration enabled by default):
58. #   Google Chrome 30+
59. #   Mozilla Firefox 27+
60. #   Microsoft Internet Explorer 11+
61. #   Opera 17+
62. #   Safari 5+ (on Mac or iOS)
63. #   Android 4.2.2
64. #   iOS 5.0
65. #   F5 BigIP load balancer 11.4.1
66. #   Safari 7 on Mac OS X 10.9
67. SSLProtocol TLSv1.2 +TLSv1
68.  
69. # Complete prevention (server-side) of BEAST is only possible in TLSv1.1 and later.  Use of TLSv1.0 with CBC ciphers
70. #   can still leave the issue open.  Use of RC4 as a cipher was recommended, but RC4 is weakened by other attacks.
71. #   Use of TLSv1.2 with GCM is the best available.  Most web browsers have patches to mitigate client-side.
72. # Use of GCM AES ciphers are only available in TLSv1.2, but at least we can prefer them.
73. # Since we must support TLS version 1.0 to handle older browsers at this time we cannot 100% stop BEAST server-side.
74. # Older clients must have their own client-side patch to prevent the risk of BEAST
75.  
76. #*********
77. # Support older clients (for a limited time) with lower security version
78. # Internet Explorer 8 - 10 can do TLS v1.2, but it is disabled by default so only TLSv1.0 is enabled in IE :(
79. # Other older clients are in a similar situation.
80. # SSLProtocol has +TLSv1 added above to SSLProtocol for this support.
81.  
82.  
83. #-------------------------------------------------------------------------------
84. # Enable perfect forward secrecy
85.  
86. # Prefer the servers cipher options
87. SSLHonorCipherOrder On
88.  
89. # Apache 2.4+ has Define directive built-in, you can string concat with it
90.  
91. # The latest and strongest OpenSSL (latest version) ciphers are typically not supported by the major web browser clients
92. # We will add ciphers in order of preference based on the strongest cipher the web client (and version) supports
93. # We also take into account web server support
94.  
95. # Start with secure clean slate
96. # (Reminder:  Apache 2.4.7+ always adds "!aNULL:!eNULL:!EXP:")
97. Define sslCiphers -ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!RC4:!3DES:!eNULL:!NULL:!DES:!MD5:!LOW
98.  
99.  
100. #************
101. # We'd prefer (where supported):    ECDHE   RSA AES  GCM    TLSv1.2
102. #   ECDHE is faster than DHE.  Both provide forward secrecy.
103. #   RSA has larger key size but verifies faster.  Furthermore ECDSA requires ECDSA certificates which most people are
104. #       not using with their Apache web server or otherwise.
105. #   AES is strong algorithm.  128-bit or 256-bit are fine.  Most clients don't do 256-bit yet.
106. #   GCM over CBC.  CBC has been attacked a few times and NIST prefers GCM.
107. #   TLS v1.2 avoids a lot of attacks and has newer features/ciphers.
108.  
109. # Our very first and preferred cipher regardless of client
110. Define sslCiphers ${sslCiphers}:ECDHE-RSA-AES128-GCM-SHA256
111. # Backup cipher to first preferred
112. Define sslCiphers ${sslCiphers}:DHE-RSA-AES128-GCM-SHA256
113. # Warning:  Don't duplicate declare any ciphers or it may end up in a lower priority/preference position
114.  
115.  
116. # Google Chrome (Version 33.0.1750.146 m)   Windows 7 64-bit w/SP1
117. # Already:  ECDHE-RSA-AES128-GCM-SHA256
118.  
119. # Firefox 27    Windows 7 64-bit w/SP1
120. # Already:  ECDHE-RSA-AES128-GCM-SHA256
121.  
122. # Android 4.2.2; 4.3
123. # Already:  ECDHE-RSA-AES128-GCM-SHA256
124.  
125. # Opera 20
126. # Already:  ECDHE-RSA-AES128-GCM-SHA256
127.  
128. #   iOS 5.0
129. # Already:  ECDHE-RSA-AES128-GCM-SHA256
130.  
131. # F5 BigIP load balancer 11.4.1
132. #   CBC not GCM
133. Define sslCiphers ${sslCiphers}:ECDHE-RSA-AES256-SHA
134.  
135.  
136. #************
137. # TLS v1.0 capable only clients
138.  
139. # Microsoft Internet Explorer 8.0.7601.17514    Windows 7 64-bit w/SP1
140. # Already: ECDHE-RSA-AES256-SHA
141.  
142. # Android 2.3 to 4.0
143. # Untested due to lack of devices.  Assuming same as IE8.
144.  
145. # Mozilla Firefox 26
146. # Already:  ECDHE-RSA-AES128-GCM-SHA256
147.  
148. # Java 7 (1.7) doesn't do GCM, that is coming in Java 8
149. # Also 256-bit isn't available in default setups without "JCE Unlimited Strength Jurisdiction Policy Files"
150. # Java 7 RFC4492 cipher name:  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
151. #   http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
152. # OpenSSL version of the cipher name:  ECDHE-RSA-AES128-SHA
153. #   https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES
154. Define sslCiphers ${sslCiphers}:ECDHE-RSA-AES128-SHA
155.  
156.  
157. # Java 6 (1.6) doesn't do GCM
158. # No support at all for TLSv1.1 or later (not even disabled by default like Java 7)
159. # Also 256-bit isn't available in default setups without "JCE Unlimited Strength Jurisdiction Policy Files"
160. # Java 7 RFC4492 cipher name:  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
161. #   http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
162. # OpenSSL version of the cipher name:  DHE-RSA-AES128-SHA
163. #   https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES
164. Define sslCiphers ${sslCiphers}:DHE-RSA-AES128-SHA
165.  
166.  
167. #*******************************************************************************
168. # (Reminder:  Multiple SSLCipherSuite are *not* additive but *override/replace* each other)
169. # (Reminder:  "In per-directory context" behaves special)
170. # (Reminder:  Apache 2.4.7+ always adds "!aNULL:!eNULL:!EXP:"
171. SSLCipherSuite ${sslCiphers}
172.  
173.  
174. #-------------------------------------------------------------------------------
175. # Mitigate against BREACH and TIME
176. SetEnv no-gzip
177.  
178. #-------------------------------------------------------------------------------
179. # Enable HTTP Strict Transport Security (HSTS) (approximately for 1 year)
180. Header add Strict-Transport-Security "max-age=31536000 ; includeSubDomains"