SSL On Your Web Server – A Certificate is Just the Start, by Peter S.

If you are running a web server for your business and taking orders from customers, then you have probably acquired a certificate to encrypt the network traffic between your customers’ web browsers and your web server. However, how well are you really doing it?

The SSL Labs website offers a free service to test how well your web server is configured for this goal. Someone may have already run the test and made a decision about your business just based on the results.
Remember, if your web server is exposed to the Internet, then anyone can run this test. You may also want to use this free service to test the web servers of your email provider, bank, and other websites where you are ordering goods and services.

I offer you some tips to tighten the configuration of your web server. These tips are specific to the Apache Web Server (version 2.4.x and higher). I run a commercial-software service using Apache and have implemented the same changes on my web servers around the world.

First, I assume you have a Certificate and have installed it with Apache. I won’t explain how to install the Certificate in this article; there are plenty of good sites on the Internet to help you with that task. If you have not purchased a Certificate or are coming up for renewal, then consider acquiring the Certificate:

  • from a reputable source
  • with a RSA 2048-bit key
  • with a SHA256withRSA signature algorithm.

Second, turn off the signature of Apache. You don’t want to tell a hacker the versions of Apache, OpenSSL, and more in use on your web server. You only want to say the minimum of Apache. In the subfolder /conf-available, make these changes in the file security.conf:

  • set the parameter ServerSignature to Off
  • set the parameter ServerTokens to Prod

Third, specify which protocols and ciphers will be enabled on Apache, and more. These changes will significantly influence your score on the SSL Labs website. In the sub folder/mods-available, make these changes in the file ssl.conf:

  • set the parameter SSLCompression to Off
  • set the parameter SSLHonorCipherOrder to On
  • set the parameter SSLCipherSuite to
    EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  • set the parameter SSLProtocol to +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv3

If you are running a business-to-business website and everyone is serious about security, then you might remove support for the TLS v1.0 and TLS v1.1 protocols by specifying a minus (-) in front of each protocol. Microsoft recently stopped supporting their Internet Explorer (IE) web browsers prior to version 11, so now the common browsers such as Chrome, Firefox, IE, and Safari all support TLS v1.2. Be aware that a prospect or customer running an older web browser might not be able to access your website if you make this change.

Finally, implement Strict Transport Security for your web server. This helps avoid a “man in the middle” attack. In the sub folder /sites-available, add this line to the .conf file for your website: Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains”

You may implement these changes separately to see how they influence the score on the SSL Labs website. Remember to restart Apache after making any changes to the configuration. You may then test the configuration again on the SSL Labs website.

In closing, if you’re going to take orders, personal information, or credit/banking information (PCI) on your web server, then demonstrate to your customers that you are serious about security.

Sincerely, Peter (Doing IT work for 28+ years outside of Seattle)