How do I enable perfect forward secrecy by default

2019-03-07 10:45发布

站内问答 / 前沿技术
1891 8 5

Warning: please only use the recommendations for Apache configuration from the answers below. For which cipher(s) to use - security norms change over time and some of the security advice below is already out of date.

In the wake of recent events, I have been reconsidering my Apache setup. Currently, my apache site config looks something like this:

 <IfModule mod_ssl.c>
    <VirtualHost *:80>
            ServerName example.com
            ServerAlias www.example.com
            Redirect permanent / https://example.com
    </VirtualHost>

    <VirtualHost *:443>
            ServerAdmin webmaster@localhost
            ServerName example.com

            DocumentRoot /var/www-wordpress
            <Directory />
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
            <Directory /var/www-wordpress>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride FileInfo
                    Order allow,deny
                    allow from all
            </Directory>

            ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
            <Directory "/usr/lib/cgi-bin">
                    AllowOverride None
                    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                    Order allow,deny
                    Allow from all
            </Directory>

            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel warn

            CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
            SSLCertificateFile    /etc/ssl/certs/example.com.crt
            SSLCertificateKeyFile /etc/ssl/private/example.com.key
            SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                    SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                    SSLOptions +StdEnvVars
            </Directory>

            BrowserMatch "MSIE [2-6]" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
            BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>

What do I have to do to support perfect forward secrecy? How can I enable SSL perfect forward secrecy by default? How could I enforce it?

8条回答
看我几分像从前
2楼-- · 2019-03-07 11:14

From my own understanding, you need to activate SSLHonorCipherOrder and to prepend SSLCipherSuite with ECDHE and DHE ciphers from openssl ciphers -v

From my /etc/apache2/mods-available/ssl.conf:

SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

To test your website, you can use: https://www.ssllabs.com/ssltest

Note: Eliptic Curve DHE only seems to work with Apache 2.3.3 or higher (see source and Bruno's comment).

查看更多
0人赞 添加讨论(0) 举报
该账号已被封号
3楼-- · 2019-03-07 11:16

This article will help you configure forward security and get you up to date on current standards - https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

As of 09/16/2015, this will get you an A on SSLLabs test results.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
查看更多
0人赞 添加讨论(0) 举报
上一页 1 2
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)