Before you configure your Apache server for Forward Secrecy, your web server and SSL/TLS library should support Elliptic Curve cryptography (ECC).
Minimum Required Versions
-
OpenSSL 1.0.1c+
-
Apache 2.4x
Note: Because of the Heartbleed bug and OpenSSL vulnerabilities, you should update to the most recent versions (i.e. OpenSSL version 1.0.1h).
How to Configure Apache for Forward Secrecy
To configure Apache for Forward Secrecy, you configure the server to actively choose cipher suites and then activate the right OpenSSL cipher suite configuration string.
-
Locate your SSL Protocol Configuration on your Apache server.
For example,
-
Type the following command:
grep -i -r "SSLEngine" /etc/apacheIn this example, /etc/apache is the base directory for the Apache installation.
-
The command will out put the available Virtual Hosts.
-
Open the Virtual Host for which you are enabling Forward Secrecy.
-
-
Add the following lines to your configuration:
-
SSLProtocol all -SSLv2 -SSLv3
-
SSLHonorCipherOrder on
-
For SSLCipherSuite, use one of the following configurations:
-
Configure with RC4
Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and RC4 (RC4 is resistant to BEAST). To improve performance, use the faster ECDHE suites whenever possible.
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" -
Configure without RC4
Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and you prefer not to use RC4. To improve performance, use the faster ECDHE suites whenever possible.
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" -
Configure with RC4 as a last resort to support wide range and older browsers
Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and you want to use RC4 only as a last resort in order to support a wide range of browsers and/or older browsers. To improve performance, use the faster ECDHE suites whenever possible.
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
-
-
-
Restart Apache.
For example, type the following command:
apachectl -k restart -
To verify that you have enabled Forward Secrecy, use the Qualys SSL Labs to test your configuration.
-
You have successfully configured Apache for Forward Secrecy.
