{"id":5673,"date":"2016-04-14T15:02:10","date_gmt":"2016-04-14T07:02:10","guid":{"rendered":"http:\/\/rmohan.com\/?p=5673"},"modified":"2016-04-14T15:02:10","modified_gmt":"2016-04-14T07:02:10","slug":"a-on-apache2-4-ssl","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5673","title":{"rendered":"A+ on apache2.4 ssl"},"content":{"rendered":"

Here’s my config for apache2.4<\/strong>:<\/p>\n

\"sslas\"<\/a><\/p>\n

1) 4096 bit key<\/strong>:
\nYou will need to generate a 4096 bit key instead of the default 2048 bit key to get the key exchange to 100%. To do this, run letsencrypt-auto<\/code> with this flag: --rsa-key-size 4096<\/code><\/strong><\/p>\n

.\/letsencrypt-auto --agree-dev-preview --server \\\r\nhttps:\/\/acme-v01.api.letsencrypt.org\/directory auth --rsa-key-size 4096<\/code><\/pre>\n
2) SSL Settings<\/strong>:
\nAdd these directives to your apache2 config in the vhost section:<\/p>\n
SSLEngine on\r\nSSLCompression off\r\nSSLCipherSuite \"HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128\"\r\nSSLHonorCipherOrder on\r\nSSLProtocol TLSv1.2\r\nSSLUseStapling on<\/code><\/pre>\n
3) SSL Certificate and Key File Settings<\/strong>:
\nAlso add these directives to your apache2 config in the same vhost section. Keep in mind you need to update the path to your specific certificate and key that relate to your domain (<<< YOUR DOMAIN HERE >>><\/strong>):<\/p>\n
SSLCertificateFile \"\/etc\/letsencrypt\/live\/<<< YOUR DOMAIN HERE >>>\/fullchain.pem\"\r\nSSLCertificateKeyFile \"\/etc\/letsencrypt\/live\/<<< YOUR DOMAIN HERE >>>\/privkey.pem\"<\/code><\/pre>\n
4) DH parameters<\/strong>:
\nGenerate >=4096 dhparams using your openssl binary. This will take some time:<\/p>\n
openssl dhparam -out \/etc\/ssl\/private\/dhparams_4096.pem 4096<\/code><\/pre>\n
If you have openssl >= 1.0.2d<\/strong> installed (type openssl version<\/code><\/strong> to find out), you can use the following line in your apache2 vhost config:<\/p>\n
SSLOpenSSLConfCmd DHParameters \"\/etc\/ssl\/private\/dhparams_4096.pem\"<\/code><\/pre>\n
If you do not have openss >= 1.0.2d<\/strong>, you will need to append your dhparameters to the bottom of your certificate file:<\/p>\n
cat \/etc\/letsencrypt\/live\/<<< YOUR DOMAIN HERE >>>\/fullchain.pem \\\r\n    \/etc\/ssl\/private\/dhparams_4096.pem > \\\r\n    \/etc\/letsencrypt\/archive\/<<< YOUR DOMAIN HERE >>>\/fullchain_dhparams_4096.pem<\/code><\/pre>\n
Then you will use this file in place of your SSLCertificateFile<\/code><\/strong> above:<\/p>\n
SSLCertificateFile \"\/etc\/letsencrypt\/archive\/<<< YOUR DOMAIN HERE >>>\/fullchain_dhparams_4096.pem\"<\/code><\/pre>\n
Keep in mind that if you manipulate the certificate (issue a new one, etc), you will need to repeat this step as the dhparams will not be added to that certificate!<\/strong><\/p>\n
5) Headers<\/strong>:
\nYou need to set a Public-Key-Pin header. Generate the first pin against the letsencrypt chain cert with the following code (read more here: https:\/\/raymii.org\/s\/articles\/HTTP_Public_Key_Pinning_Extension_HPKP.html88<\/span><\/a>):<\/p>\n
openssl x509 -noout -in \/etc\/letsencrypt\/live\/<<<< YOUR DOMAIN HERE >>>>\/chain.pem -pubkey | \\\r\nopenssl asn1parse -noout -inform pem -out \/tmp\/fingerprint.key;\r\nopenssl dgst -sha256 -binary \/tmp\/fingerprint.key | openssl enc -base64<\/code><\/pre>\n
The next pin comes from your private key. You should keep this key in a safe place:<\/p>\n
openssl x509 -noout -in \/etc\/letsencrypt\/live\/<<<< YOUR DOMAIN HERE >>>>\/privkey.pem -pubkey | \\\r\nopenssl asn1parse -noout -inform pem -out \/tmp\/fingerprint.key;\r\nopenssl dgst -sha256 -binary \/tmp\/fingerprint.key | openssl enc -base64<\/code><\/pre>\n
You will use these fingerprints in the section below (<<< YOUR CUSTOM PIN HERE >>><\/strong>).<\/p>\n
I haven’t figured out a good programmatic way to get the chain cert keys, but I have found that you can get them with https:\/\/dev.ssllabs.com\/ssltest\/analyze.html70<\/span><\/a> by analyzing your own site once it’s already running.<\/p>\n
Also add these directives to your apache2 config in the same vhost section:<\/p>\n
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure\r\nHeader always set Public-Key-Pins \"pin-sha256=\\\"<<< YOUR CHAIN PIN HERE >>>=\\\"; pin-sha256=\\\"<<< YOUR PRIVATE KEY PIN HERE >>>\\\"; max-age=31536000; includeSubDomains\"\r\nHeader always set X-Frame-Options SAMEORIGIN\r\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubdomains; preload\"\r\nHeader always set X-Content-Type-Options nosniff<\/code><\/pre>\n
6) SSL Stapling Cache<\/strong>:
\nAdd the following line to your ssl.conf \/etc\/apache2\/conf-available\/ssl.conf<\/code><\/strong> file:<\/p>\n
echo 'SSLStaplingCache shmcb:\/tmp\/stapling_cache(2097152)' >> \\\r\n\/etc\/apache2\/conf-available\/ssl.conf`<\/code><\/pre>\n
Enable your ssl.conf<\/code><\/strong> file:<\/p>\n
a2enconf ssl<\/code><\/pre>\n
7) Restart Apache<\/strong>:<\/p>\n
service apache2 restart<\/code><\/pre>\n
8) Test your site at https:\/\/www.ssllabs.com\/ssltest\/analyze.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Here’s my config for apache2.4:<\/p>\n<\/p>\n
1) 4096 bit key: You will need to generate a 4096 bit key instead of the default 2048 bit key to get the key exchange to 100%. To do this, run letsencrypt-auto with this flag: –rsa-key-size 4096<\/p>\n
 .\/letsencrypt-auto –agree-dev-preview –server \\ https:\/\/acme-v01.api.letsencrypt.org\/directory auth –rsa-key-size 4096 <\/p>\n
2) SSL Settings: Add […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5673"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5673"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5673\/revisions"}],"predecessor-version":[{"id":5675,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5673\/revisions\/5675"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}