Brian F Love
Learn from a Google Developer Expert focused on Angular, Web Technologies, and Node.js from Portland, OR.
Ad ·ultimatecourses.com
Learn Angular the right way with Ultimate Courses

HTTPS Protocols and Ciphers

As part of a series on using HTTPS Everywhere we are migrating a website from HTTP to HTTPS.Previously we configured our web server with an SSL certificate, and we are now ready to configure the SSL engine on our server.

For this article I will mention the best practices for configuring both your Apache and IIS web server. For the IIS configuration I will be using the free IIS Crypto tool by Nartac Software.

FWIW, I am not a security expert. So, I am following the best practices as prescribed byMozilla on their server side TLS article.

Apache Web Server

For the apache configuration I will generally copy/paste the recommended configuration from Mozilla. Here is what I did:

These modifications are made to thehttpd-ssl.conffile, which is located for me at:/etc/apache2/extra/httpd-ssl.conf.

#General setup for the virtual hostDocumentRoot"/www/local.example.com/www"ServerNamelocal.example.comErrorLog"/private/var/log/apache2/local.example.com-error_log"CustomLog“/private/var/log/apache2/local.example.com-access_log”common#SSL Engine Switch:SSLEngineon#Server Certificate:SSLCertificateFile"/private/etc/apache2/ssl/local.example.com.crt"#Server Private Key:SSLCertificateKeyFile"/private/etc/apache2/ssl/local.example.com.key"#SSL Engine Options:<FilesMatch"\.(cgi|shtml|phtml|php)$">SSLOptions+StdEnvVars <Directory"/Library/WebServer/CGI-Executables">SSLOptions+StdEnvVars# Intermediate configuration, tweak to your needsSSLProtocolall -SSLv2 -SSLv3SSLCipherSuite"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"SSLHonorCipherOrderonSSLCompressionoff#在Apache 2.4 +, SSLStaplingCache必须设置* outside* of the VirtualHostSSLStaplingCacheshmcb:/var/run/ocsp(128000)

The SSL configuration above does the following.

  • The first property namedSSLProtocoltells OpenSSL to use all protocols except for the outdated SSL version 2.0 and 3.0 protocols.
  • The second property namedSSLCipherSuite是使用优选的密码的列表。这是我从Mozilla页面获得的字符串,并注意它被双引号包围。当我们设置下一个属性时,密码的顺序会很重要。
  • The third property namedSSLHonorCipherOrdersays that the order of the ciphers listed is the preferred order to use when establishing a secure connection. We simply set this to on.

As a side note, you can validate that your openssl version supports the ciphers. Just copy the list of ciphers into the following command:

$ openssl ciphers -v'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'

The result of running this command indicates that all ciphers are supported.

OpenSSL Ciphers

As always, we want to test our Apache configuration and restart the server. Assuming everything is OK, we should be able to pull up our HTTPS site in a modern browser.

IIS Crypto

Setting up the IIS cryptography is simplified greatly by using a free tool from Nartac Software called IIS Cryto.Download IIS Crypto

The download is just a.exefile. Copy this to the desktop and launch it. I will simply select theBest Practicesoption and clickApply. These options will disable the old protocols (SSL v 2.0 and 3.0) and will set the recommended cipher suites.

IIS Crypto

After applying the new settings be sure to restart the Windows server.

Testing SSL

The last step is to test our SSL configuration. There are three popular, and free, tools that will help you. I prefer to use the Qualys tool.

这是来自Qualys SSL Labs网站的Score的屏幕截图。

Qualys SSL Labs

Brian F Love

Hi, I'm Brian. I am interested in TypeScript, Angular and Node.js. I'm married to my best friend Bonnie, I live in Portland and I ski (a lot).