I’ve run into an excellent online tool for testing SSL configuration of a web server, Qualy SSL Labs. To begin with, my overall score was D, which means that web server was either misconfigured or that configuration was weak. Reading about all the things they’ve mentioned on their site, one should think that it is safer to run a web server without an SSL certificate than with one.
The first thing to do is to declare who can issue an SSL certificate for the particular domain. This is done on a DNS server. You basically need to either edit your own DNS zone file or ask your hosting/DNS managing company to do this for you. What this does is, if the SSL certificate issuing company X respects CAA (Certification Authority Authorisation) DNS record, it will not issue an SSL certificate for the particular domain as long as company Y is listed in the CAA DNS record. CAA DNS record looks like this:
sefic.name CAA 0 issue “letsencrypt.org”
More info about CAA can be found here.
The second thing to do is to add support for Forward Secrecy to your Apache configuration. To do this, ssh to your server, and search for all files that have SSLEngine string in the site configuration file:
grep -i -r "SSLEngine" /etc/apache
Now we need to configure what SSL protocol we support. Add the following line if it is missing, otherwise, configure existing line to mirror this:
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
and turn the SSL compression off:
The next thing to configure is SSL Cipher Suite. You will probably find many sites that advise you to support many ciphers for the sake of backward compatibility, like IE6 and Windows XP. In a perfect world, this would be ok, but since we do not live in such a world, we need to limit supported cipher suites.
SSLHonorCipherOrder on SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDHDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
The third thing to do is to configure HTTP Strict Transport Security (HSTS). What does this do? Long story short, it tells Internet browser to never load this site over HTTP protocol and that all attempts to load this site should be done using HTTPS instead. Why? If you are using HTTP to redirect to HTTPS version of your website, then your visitors are communicating with your web server over insecure connection until they are redirected to HTTPS version of the site. This is done by adding the following string to your website configuration file. This string must be under HTTPS vhost, it cannot be under HTTP vhost. Add the following line to your HTTP vhost directive:
<VirtualHost 10.10.10.10:443> Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
HSTS string is pretty self-explanatory. More info on HSTS can be found here.
Now you can run Qualys SSL Labs test again, and be proud of the result.