Ever since Edward Snowden revealed some of the secrets of NSA a lot of websites are looking into options to secure their traffic. Using SSL for HTTPS/TLS connections is one of the mostly used techniques. But using the right settings is mostly important. Most modern webservers come with all cipher suites enabled, fine tuning is necessary in this case.
I’m using Ubuntu for my servers. This short howto relies on their command set.
Configuration
Apache 2.x
Enable mod_headers
Enable headers
1
a2enmod headers
Edit your SSL enabled VirtualHost and add following settings
Settings from default-ssl.conf
12345678910
# SSL settings for Heartbleed and POODLE mitigation# Test at https://www.ssllabs.com/ssltest/analyze.html?d=blog.dobrev.euSSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"# Enable HSTS (HTTP Strict Transport Security)Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"# Disable site embedding using i/frames Header always set X-Frame-Options DENY