Search form

Apache 2 SSL Labs Fixes

Recently I was testing some web servers with the SSL Labs SSL web server test. This article describes the fixes I applied to Ubuntu Server 12.04 to get an A+ on the test.

The SSL Labs Test

Auditing the SSL certificates on your web server occasionally is a good idea, since you always want to try to maintain a balance between supported platforms and security. Exploits such as CRIME and Poodle are widely available, and, as always, maintaining backwards compatibility generally makes you more vulnerable.

Although this article generally refers to Ubuntu Server, the real subject is Apache, so most of it should be applicable to setups using the httpd binary (Fedora, CentOS, OpenSUSE, etc.) as opposed to apache2. You can add SSL directives to individual virtual hosts, or to your main httpd.conf or apache2.conf.

To get an A+ with Apache:

  1. If you're running Ubuntu 12.04 LTS, try upgrading to 14.04 LTS. This will frequently get you an A+ while maintaining broad client compatibility. You could compile OpenSSL, Apache and related by hand, but running the automated upgrade is usually much easier.
  2. Disable SSLv3 with:
       SSLProtocol All -SSLv3
  3. Disable SSL compression:
       SSLCompression off
  4. Add additional protocols for perfect forward security, and disable the weak RC4 cipher:
  5. To prevent downgrade attacks, enable the headers mod and implement strict transport security:
    $ a2enmod headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

    More info about HTTP Strict Transport Security.

  6. Some certs (InCommon) need two chaining certs, which I had missed before. So I put these two in a file and pointed SSLCertificateChainFile at it:
    $ wget
    $ cat f5fb01dea6e59ca6dd057054f4a3ff72dde1d5c6.pem > InCommon-chain.pem
    $ wget
    $ cat eab040689a0d805b5d6fd654fc168cff00b78be3.pem >> InCommon-chain.pem

That got me an A+ on the SSL Labs test and only sacrificed compatibility with Windows XP clients running IE6 and IE8. Apparently compatibility with that platform can't be done securely, and Chrome now warns on XP compatible certs. I consider this acceptable since Windows XP has passed its end-of-life and should be abandoned in any setup where security is essential. If you're feeling generous you may also start warning XP users that they need to upgrade.

I tested a few other SSL sites around the web and many of them scored somewhere between F and C. Certainly there's plenty of room for improvement.


Looking for affordable web hosting? Try GreenGeeks for only $3.95/mo. (I'm both an affiliate and a client.)

I participate in the Amazon Associates program. Making your Amazon purchases through my affiliate links supports this site at no additional cost to you: