SSL Configuration for Webserver

Posted by AliceTech Oct 2, 2023

I'm setting up a new Apache web server on Ubuntu 22.04 and need to configure SSL/TLS. I have a certificate from Let's Encrypt, but I'm not sure about the optimal settings for security and compatibility. Can anyone provide a sample ssl.conf snippet and explain the key directives?

Sample Configuration

<IfModule mod_ssl.c>
    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem

    # Preferred protocols
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

    # Strong ciphers, order matters
    SSLCipherSuite          HIGH:!aNULL:!MD5:!3DES
    SSLHonorCipherOrder    on

    # OCSP Stapling
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off

    # HSTS (adjust max-age as needed)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # MIME type enforcement
    AddOutputFilterByType DEFLATE text/html text/plain text/css application/javascript

    # Diffie-Hellman parameters (generate with: openssl dhparam -out dhparam.pem 2048)
    SSLOpenSSLConfCommand  DHParameters "/etc/ssl/certs/dhparam.pem"
</IfModule>

Explanation of Key Directives

• SSLProtocol: Disables outdated protocols (SSLv3, TLS 1.0/1.1) while keeping TLS 1.2 and TLS 1.3.
• SSLCipherSuite & SSLHonorCipherOrder: Enforces strong ciphers and ensures the server's ordering is respected.
• SSLUseStapling: Enables OCSP stapling to reduce latency and improve revocation checking.
• Header … Strict-Transport-Security: Implements HSTS to force browsers to use HTTPS.
• SSLOpenSSLConfCommand DHParameters: Uses a custom Diffie‑Hellman group for forward secrecy.

After adding the config, test it with openssl s_client -connect yourdomain.com:443 -tls1_2 or use Qualys SSL Labs for a full analysis.