Force Apache to use strong cryptography
I’ve been poking at this for a while, but with some testing via Qualys SSL Labs, I’ve finally been able to devise the incantation that makes Apache only use strong cryptography. Before pointing it out, some background is probably necessary.
As anyone, users or webmasters, is probably aware, “https” uses encryption, and that encryption has been increasingly under attack on the internet – either in its implementation (Poodle, Heartbleed, etc.) or on the strength of its ability to protect information (NSA, governments, etc.). To mitigate this, it is necessary to use up-to-date, strong cryptography.
The Apache web server allows a lot of configuration options that allow backward compatibility to the stone-ages of computing. However, in order to keep things secure, it can be limited to the modern, strong ciphers.
Note: Doing this has the effect of blocking out combinations of old operating systems and old browsers. So if you employ this, recognize that come customers may be locked out because their browser can’t negotiate a secure connection.
In your ssl.conf, put in the following line:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !MEDIUM !AES128 !CAMELLIA128 !3DES !MD5 !EXP !PSK !SRP !DSS"
and restart your server. This will force:
- 256-bit cryptography
- TLS 1.2
for all inbound connections, and it will prevent connections from browsers that can’t do it.
Obviously, if you’re reading this on my web site, you could negotiate good cryptography and are not locked out. However, according to SSL Labs, the following classes of users may be locked out:
- Android: v2.3.7, v4.0.4, v4.1.1, v4.2.2, v4.3
- Internet Explorer: 10 and below on any platform
- Java: 6u45, 7u25, 8u31
- OpenSSL: 0.9.8y
- Safari: 5.1.9, 6.0.4
- Possibly others that aren’t explicitly tested
Interestingly, Firefox has its own encryption engine and even on XP can handle strong ciphers. Lack of a good crypto engine is a major drawback to using XP on the modern internet, and Firefox took matters into their own hands. Good on ’em!
I’d like to see more web sites do this, so weak cryptography will die the death it needs to, and so all web users will be safer.