This website is about SSL/TLS protocol security settings using Apache webserver and virtual server from ZonerCloud.
The main topic is about changing the default security settings of Debian server, whose default settings are obsolete and not suitable for general use.

Links

ZonerCloud
SSLmarket
Zoner Software
SSLlabs server test

Zoner software a.s. has been a provider of complete internet services since 1996.

Default Configuration is Not Suitable

The default server configuration in Debian (version 7) is not suitable for production servers. Servers with default settings still accepts obsolete SSLv3 protocol, which is depreciated.

Changing the SSL/TLS settings

The main issues of the outdated default configuration you must correct:

Disabling the SSLv3 Protocol

Disabling the dated and obsolete SSLv3 protocol is very simple. You can disable it for every virtualhost or for the whole server. Disabling the server is simple and better.

Edit in file /etc/apache2/mods-available/ssl.conf:
SSLProtocol all -SSLv2 -SSLv3

Disabling the RC4 encryption

The RC4 encryption is considered problematic because it is the vector of BEAST vulnerability.

Disabling the encryption is simple. It is enough to put an exclamation mark in front of the unwanted encryption and the server will stop using it.

Edit in file /etc/apache2/mods-available/ssl.conf:
SSLCipherSuite ... !RC4

Forward Secrecy

Forward Secrecy is designed to protect the transferred information against later deciphering (for instance after a private key has been stolen). The prerequisite for functional Forward Secrecy are two Diffie-Hellman algorhithms for DHE and ECDHE key exchange.

You will find more about the use of Forward Secrecy in the article SSL Labs: Deploying Forward Secrecy. If you do not want to study the topic, it is enough to set up the encryptions below in configuration.

Edit in /etc/apache2/mods-available/ssl.conf:
SSLHonorCipherOrder on

SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

Testing the new settings

This configuration will ensure a high level of security and preserve the max. possible compatibility with older browsers. Upon reaching the absolute ratings (4x 100) on your server, most customers won't be able to connect to your server.

Your server will be secure enough after applying these changes to the SSL/TLS settings. I recommend you to perform an SSLlabs server test as well.


Enter domain name and test security settings of SSL/TLS:

 

If you will get an A grade, you can be satisfied - server security has with no problem. In opposite case do not hesitate to contact our customer support for advice.

Getting a Bonus Plus

After making the changes above, your server should get an A grade. If you want to achieve the best possible A+ rating, visit our magazine and read our article How to Achieve A+ Results in SSLlabs Test.