a2enmod ssl a2enmod headers
Edit Apache configuration.
SSLCertificateFile /etc/ssl/crt/«yourcert».pem SSLCertificateKeyFile /etc/ssl/crt/«yourkey».pem SSLCertificateChainFile /etc/ssl/crt/«intermediatechain».pem Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS
The ! preceding the cipher means that Apache will not use that cipher.
List the ciphers openssl supports with the current configuration.
openssl ciphers -v -ssl3 -tls1 'EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS'
With this configuration Apache will prefer Perfect forward secrecy. If Perfect forward secrecy can't be negotiated it will default to AES cipher. This configuration will work on all newer browser. Exceptions are older IE, older Java and a few bots.
Header always set Strict-Transport-Security
Use the servers preferred encryption not the browsers which may be a weaker cipher.
Ephemeral elliptic-curve Diffie-Hellman, see ECDH.
Ephemeral Diffie-Hellman, see Diffie–Hellman key exchange.
The cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a ``man in the middle'' attack and so their use is normally discouraged.
The «NULL» ciphers that is those offering no encryption.
«Low» encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.
MD5 message-digest algorithm.
Export encryption algorithms. Including 40 and 56 bits algorithms.
Cipher suites using pre-shared keys (PSK).
Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.