Kích hoạt Forward Secrecy cho Apache

Before you configure your Apache server for Forward Secrecy, your web server and SSL/TLS library should support Elliptic Curve cryptography (ECC).

Minimum Required Versions

  • OpenSSL 1.0.1c+

  • Apache 2.4x

Note:    Because of the Heartbleed bug and OpenSSL vulnerabilities, you should update to the most recent versions (i.e. OpenSSL version 1.0.1h).

How to Configure Apache for Forward Secrecy

To configure Apache for Forward Secrecy, you configure the server to actively choose cipher suites and then activate the right OpenSSL cipher suite configuration string.

  1. Locate your SSL Protocol Configuration on your Apache server.

    For example,

    1. Type the following command:

       

      grep -i -r "SSLEngine" /etc/apache

       

      In this example, /etc/apache is the base directory for the Apache installation.

    2. The command will out put the available Virtual Hosts.

    3. Open the Virtual Host for which you are enabling Forward Secrecy.

  2. Add the following lines to your configuration:

    1.  

      SSLProtocol all -SSLv2 -SSLv3

       

    2.  

      SSLHonorCipherOrder on

       

    3. For SSLCipherSuite, use one of the following configurations:

      • Configure with RC4

        Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and RC4 (RC4 is resistant to BEAST). To improve performance, use the faster ECDHE suites whenever possible.

         

        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

         

      • Configure without RC4

        Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and you prefer not to use RC4. To improve performance, use the faster ECDHE suites whenever possible.

         

        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

         

      • Configure with RC4 as a last resort to support wide range and older browsers

        Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and you want to use RC4 only as a last resort in order to support a wide range of browsers and/or older browsers. To improve performance, use the faster ECDHE suites whenever possible.

         

        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"

         

  3. Restart Apache.

    For example, type the following command:

     

    apachectl -k restart

     

  4. To verify that you have enabled Forward Secrecy, use the Qualys SSL Labs to test your configuration.

  5. You have successfully configured Apache for Forward Secrecy.

  • ssl, Forward Secrecy, Forward Secrecy cho Apache
  • 0 Người dùng thấy hướng dẫn này hữu ích
Hướng dẫn này có hữu ích?

Những hướng dẫn liên quan

Hướng dẫn cấu hình Exchange dùng tên miền chính thức (FQDN) thay cho tên miền nội bộ (Local name)

Gần đây CAB Forum, tổ chức quản lý các nhà cung cấp dịch vụ chứng thực (CA) đã công bố một số...

Tổng hợp cập nhật vá lỗi SSL trên Windows Server

Hướng dẫn cập nhật vá các lỗi và lổ hổng SSL trên Windows Server. Vô hiệu giao thức SSL v3...

Kích hoạt Forward Secrecy cho Nginx

Before you configure your Nginx server for Forward Secrecy, your web server and SSL/TLS library...

Kích hoạt Forward Secrecy cho IIS Windows

Để đơn giản hóa và thực thi nhanh chóng các thiết lập này, có 1 file PowerShell script giúp bạn...

Vô hiệu hoá SSLv3 trong Apache

1. Mở file config SSL của Apache sudo nano /etc/apache2/mods-enabled/ssl.conf 2) Tìm dòng :...