This will show how to get A+ on SSL Server Test from Qualys SSL Labs.
Enable SSL and headers module in Apache2.
a2enmod ssl a2enmod headers
Edit Apache configuration.
SSLCertificateFile /etc/ssl/crt/«yourcert».pem SSLCertificateKeyFile /etc/ssl/crt/«yourkey».pem SSLCertificateChainFile /etc/ssl/crt/«intermediatechain».pem Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS
The ! preceding the cipher means that Apache will not use that cipher.
List the ciphers openssl supports with the current configuration.
openssl ciphers -v -ssl3 -tls1 'EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS'
With this configuration Apache will prefer Perfect forward secrecy. If Perfect forward secrecy can’t be negotiated it will default to AES cipher. This configuration will work on all newer browser. Exceptions are older IE, older Java and a few bots.
Where there are no links to the information source it’s taken from the documentation on openssl.org.
Header always set Strict-Transport-Security
Force browser to use HTTPS even if the user enters HTTP. The browser should remember this setting for a really long time, example a year.
Use the servers preferred encryption not the browsers which may be a weaker cipher.
Ephemeral elliptic-curve Diffie-Hellman, see ECDH.
Ephemeral Diffie-Hellman, see Diffie–Hellman key exchange.
Advanced Encryption Standard.
The cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a ``man in the middle'' attack and so their use is normally discouraged.
The «NULL» ciphers that is those offering no encryption.
«Low» encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.
RC4 stream cipher. After attacks on RC4 it is said to be vulnerable. See New RC4 Attack for more information.
Data Encryption Standard.
MD5 message-digest algorithm.
Export encryption algorithms. Including 40 and 56 bits algorithms.
Cipher suites using pre-shared keys (PSK).
Secure Remote Password protocol.
Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.