This website is about SSL/TLS protocol security settings using Apache webserver and virtual server from ZonerCloud.
The main topic is about changing the default security settings of Debian server, whose default settings are obsolete and not suitable for general use. serveru.
The default server configuration in Debian (version 7) is not suitable for production servers. Servers with default settings still accepts obsolete SSLv3 protocol, which is depreciated.
Zoner software a.s. has been a provider of complete internet services since 1996.
The main issues of the outdated default configuration you must correct:
Disabling the dated and obsolete SSLv3 protocol is very simple. You can disable it for every virtualhost or for the whole server. Disabling the server is simple and better.
Edit in file /etc/apache2/mods-available/ssl.conf:SSLProtocol all -SSLv2 -SSLv3 The RC4 encryption is considered problematic because it is the vector of BEAST vulnerability.
Disabling the encryption is simple. It is enough to put an exclamation mark in front of the unwanted encryption and the server will stop using it.
Edit in file /etc/apache2/mods-available/ssl.conf:
SSLCipherSuite ... !RC4
Forward Secrecy is designed to protect the transferred information against later deciphering (for instance after a private key has been stolen). The prerequisite for functional Forward Secrecy are two Diffie-Hellman algorhithms for DHE and ECDHE key exchange.
You will find more about the use of Forward Secrecy in the article SSL Labs: Deploying Forward Secrecy. If you do not want to study the topic, it is enough to set up the encryptions below in configuration.
Edit in /etc/apache2/mods-available/ssl.conf:
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
This configuration will ensure a high level of security and preserve the max. possible compatibility with older browsers. Upon reaching the absolute ratings (4x 100) on your server, most customers won't be able to connect to your server.
Your server will be secure enough after applying these changes to the SSL/TLS settings. I recommend you to perform an SSLlabs server test as well.
Enter domain name and test security settings of SSL/TLS
If you will get an A grade, you can be satisfied - server security has with no problem. In opposite case do not hesitate to contact our customer support for advice.