Apache的SSL证书安全设置教程

更多文档可以参考:   其他SSL证书相关 , apache SSL安全

升级openSSL,部分老版本的OpenSSL有漏洞。

禁用 SSLv2 and SSLv3

SSLProtocol All -SSLv2 -SSLv3

如果Apache 2.2.24+ 以上版本  添加以下代码

 

SSLCompression off

使用安全的Cipher Suite

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 

如果想兼容XP/IE6 ,请使用以下的 Cipher Suite

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

 

Forward Secrecy & Diffie Hellman Ephemeral Parameters ,如果你用的 Apache 2.4.8以上  OpenSSL 1.0.2 或以上版本,可以运行一下命令

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

然后将以下代码添加到网站配置文件

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

根据你的apache版本不同, 将代码添加到apache的网站配置文件里面, 参考下面的例子

<VirtualHost *:443>
ServerAdmin webmaster@example.com
DocumentRoot "/home/sslaaa"
ServerName www.cheapssl.cn
SSLEngine on
SSLCertificateKeyFile /usr/local/httpd/sslaaa.key
SSLCertificateFile /usr/local/httpd/sslaaa.crt
SSLCertificateChainFile /usr/local/httpd/sslaaa.bundle

####///////////////////SSL安全设置代码 开始//////
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLHonorCipherOrder     on
SSLCompression off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
#####//////////////////SSL安全设置代码 结束//////////

......
</VirtualHost>