Show pageBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ===== Apache and Let's Encrypt with strong SSL ciphers ===== ==== Let's Encrypt ==== > [[https://en.wikipedia.org/wiki/Let%27s_Encrypt|Let's Encrypt]] is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. By default, certbot generates 2048 bit certificates, but 4096 bit should be preferred. This can be changed in the configuration: <file bash /etc/letsencrypt/cli.ini> # Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 </file> Then renew your certificate by requesting a new one for all your (sub)domains: <code bash> sudo certbot certonly -d quietlife.nl -d www.quietlife.nl -d wiki.quietlife.nl </code> And select ''2: Renew & replace the cert (limit ~5 per 7 days)''. \\ \\ === SSL certificate renewal === Let's Encrypt certificates expire every three months, and certbot automatically renews them. After renewing the certificates, you have to reload Apache. This can be automated with a script you put in ''/etc/letsencrypt/renewal-hooks/post/'': <code bash /etc/letsencrypt/renewal-hooks/post/apache2.sh> #!/bin/sh systemctl reload apache2.service </code> Make it executable: <code bash> sudo chmod +x /etc/letsencrypt/renewal-hooks/post/apache2.sh </code> ---- \\ ==== Apache ==== \\ === Diffie-Hellman Ephemeral Parameters === > [[https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange|Diffie–Hellman key exchange]] (D–H) is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. Generate ''dhparams.pem'': <code bash> openssl dhparam -out dhparams.pem 4096 sudo mv dhparams.pem /etc/ssl/ sudo chown root:ssl-cert /etc/ssl/dhparams.pem sudo chmod 640 /etc/ssl/dhparams.pem </code> \\ === SSL cipher suite === Create a global configuration file: <file apache /etc/apache2/conf-available/ssl-ciphers.conf> SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM SSLHonorCipherOrder on SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" SSLSessionTickets off SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparams.pem" SSLOpenSSLConfCmd Curves secp384r1 SSLOpenSSLConfCmd ECDHParameters secp384r1 </file> Enable it: <code bash> sudo a2enconf ssl-ciphers </code> \\ === HTTP headers === Create a global configuration file: <file apache /etc/apache2/conf-available/headers.conf> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "DENY" </file> Enable it: <code bash> sudo a2enmod headers sudo a2enconf headers </code> ---- \\ ==== Restart Apache ==== <code bash> sudo systemctl restart apache2.service </code> ----