Table of Contents

Apache and Let's Encrypt with strong SSL ciphers

Let's Encrypt

Let's Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

By default, certbot generates 2048 bit certificates, but 4096 bit should be preferred. This can be changed in the configuration:

/etc/letsencrypt/cli.ini
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

Then renew your certificate by requesting a new one for all your (sub)domains:

sudo certbot certonly -d quietlife.nl -d www.quietlife.nl -d wiki.quietlife.nl

And select 2: Renew & replace the cert (limit ~5 per 7 days).

SSL certificate renewal

Let's Encrypt certificates expire every three months, and certbot automatically renews them. After renewing the certificates, you have to reload Apache. This can be automated with a script you put in /etc/letsencrypt/renewal-hooks/post/:

/etc/letsencrypt/renewal-hooks/post/apache2.sh
#!/bin/sh
systemctl reload apache2.service

Make it executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/apache2.sh


Apache


Diffie-Hellman Ephemeral Parameters

Diffie–Hellman key exchange (D–H) is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman.

Generate dhparams.pem:

openssl dhparam -out dhparams.pem 4096
sudo mv dhparams.pem /etc/ssl/
sudo chown root:ssl-cert /etc/ssl/dhparams.pem
sudo chmod 640 /etc/ssl/dhparams.pem


SSL cipher suite

Create a global configuration file:

/etc/apache2/conf-available/ssl-ciphers.conf
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets off
 
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparams.pem"
SSLOpenSSLConfCmd Curves secp384r1
SSLOpenSSLConfCmd ECDHParameters secp384r1

Enable it:

sudo a2enconf ssl-ciphers


HTTP headers

Create a global configuration file:

/etc/apache2/conf-available/headers.conf
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"

Enable it:

sudo a2enmod headers
sudo a2enconf headers


Restart Apache

sudo systemctl restart apache2.service