vHost and TLS Ciphers for Apache2/openSSL

openSSL cipherlist

The ciphers command converts textual OpenSSL cipher lists into ordered SSL cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist.

A good idea is to have a look at BetterCrypto.org. They share lot’s of good examples and practical recommendations for hardening your Server.

Their recommendation for Apache Webserver:

#Enabledmodules SSL and Headers arerequired. 

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
# Add six earth month HSTS header for all users... Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+
aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

This is a good example and provides also good connectivity to most of the used Browsertypes.

Result of command “openssl ciphers -v” with BetterCryptos Cipherlist:

root@host:~# openssl ciphers -v 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

I changed the cipherlist from their recommendation and made it a little stricter. This does not include 100% of legacy Browser Versions. (thanks to MacLemon)

SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA'

If we want to know the output off the improved cipherlist directly from the server, this can be easily checked at ssllabs.com : https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.tld This list has a cipher strength rating 100/100. All ciphers support Forward Secrecy. This is what we want, Perfect Forward Secrecy is more important than ever.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384    DHE-RSA-AES256-GCM-SHA384   TLS v1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256    DHE-RSA-AES256-SHA256       TLS v1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  ECDHE-RSA-AES256-GCM-SHA384 TLS v1.2
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  DHE-RSA-CAMELLIA256-SHA     TLS v1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA       DHE-RSA-AES256-SHA          TLS v1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA     ECDHE-RSA-AES256-SHA        TLS v1.0

HSTS – HTTP Strict Transport Security

# Add six earth month HSTS header for all users... Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

I would not recommend HSTS if your domain contains different subdomains with Self-Signed Certificates, you can’t use them anymore. HSTS is a good idea to force HTTP->HTTPS and has also other improvements.

But it would cost us a valid CA-signed Certificate for each subdomain or a WildCard Domain which is costly. I use instead the rewrite engine of Apache.

Rewrite port 80 to 443 vhost entry

root@host:/# cat /etc/apache2/sites-available/100-default-rewrite-ssl 
<VirtualHost *:80>
    ServerName *.mydomain.tld
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

This ensures all the traffic is redirected to https/443

namebased vHosts

After each creation of a vhost entry, they need to be enabled afterwards

root@host:/etc/apache2/sites-available# a2ensite 103-new_vhost-ssl 
Enabling site 103-new_vhost-ssl.
To activate the new configuration, you need to run:
  service apache2 reload

reload Apache config

root@blog:/etc/apache2/sites-available# /etc/init.d/apache2 reload
[ ok ] Reloading web server config: apache2.

or disable a vhost with one command

root@blog:/etc/apache2/sites-available# a2dissite 105-old_vhost-ssl 
Site 105-old_vhost-ssl disabled.
To activate the new configuration, you need to run:
  service apache2 reload

 Simple HTTPS/TLS Port 443 vHost for Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@mydomain.tld
        DocumentRoot /var/www/new_vhost
        ServerName new_vhost.mydomain.tld

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/new_vhost/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder On
        SSLCompression off
        SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA'
        SSLCertificateFile    /etc/ssl/certs/new_vhost.mydomain.tld.pem
        SSLCertificateKeyFile /etc/ssl/private/new_vhost.mydomain.tld.key
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
</VirtualHost>
</IfModule>

 Wildcard redirect for all unused SubDomains

The vhost of the wildcard redirect needs to be named beginning with a high number, so all low numbered vHost can match before the redirect vHost is used.

root@host:~# cat /etc/apache2/sites-available/999-default-404-ssl 
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAlias *.mydomain.tld
    Redirect 404 /
    ErrorDocument 404 https://vhost1.mydomain.tld/404_vhost.html
    ServerAdmin webmaster@mydomain.tld

    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCompression off
    SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA'
    SSLCertificateFile    /etc/ssl/certs/vhost1.mydomain.tld.pem
    SSLCertificateKeyFile /etc/ssl/private/vhost1.mydomain.tld.key
    #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

</VirtualHost>
</IfModule>

list order of  vHosts for Apache

root@blog:/etc/apache2/sites-available# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server vhost1.mydomain.tld (/etc/apache2/sites-enabled/100-vhost1-ssl:2)
         port 443 namevhost vhost1.mydomain.tld(/etc/apache2/sites-enabled/100-vhost1-ssl:2)
         port 443 namevhost new_vhost.mydomain.tld(/etc/apache2/sites-enabled/103-new_vhost-ssl:1)
         port 443 namevhost vhost1.mydomain.tld (/etc/apache2/sites-enabled/999-default-404-ssl:2)
*:80                   is a NameVirtualHost
         default server *.mydomain.tld (/etc/apache2/sites-enabled/100-default-rewrite-ssl:1)
         port 80 namevhost *.mydomain.tld (/etc/apache2/sites-enabled/100-default-rewrite-ssl:1) Syntax OK

 

httpd_logo_wide_new

Sources:

Name based vhosts https://httpd.apache.org/docs/2.2/vhosts/name-based.html

Add SSL to your Website http://freedif.org/add-ssl-to-your-website-https-made-easy/

Redirect 80 to Subdomain http://freedif.org/how-to-redirect-a-port-to-a-sub-domain-proxypass/

Apache2 Docs on SSL and TLS https://httpd.apache.org/docs/2.4/ssl/

ciphers – SSL cipher display and cipher list tool https://www.openssl.org/docs/apps/ciphers.html

https://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

http://www.sitepoint.com/apache-mod_rewrite-examples/

https://crashingdaily.wordpress.com/2008/03/31/steering-users-away-from-nonexistent-apache-virtual-hosts/

 

Comments are closed.