Skip to content

Transport Layer Security

Andrew Bonney edited this page May 2, 2019 · 4 revisions

This page covers configuration of certificate stores, cipher suites and similar on common platforms and for common web server implementations.

Apache2

The following parameters can be added to Apache 2 TLS configuration in order to meet the requirements of BCP-003-01. Note that a suitable version of Apache 2 and OpenSSL will be required in order for all of these parameters to take effect.

# Turn on TLS and identify RSA and ECDSA certificates
SSLEngine on
SSLCertificateFile	/path/to/rsa/certificate/chain.pem
SSLCertificateKeyFile	/path/to/rsa/key.pem
SSLCertificateFile	/path/to/ecdsa/certificate/chain.pem
SSLCertificateKeyFile	/path/to/ecdsa/key.pem

# Enable TLS 1.2 and 1.3 only
SSLProtocol -all +TLSv1.2 +TLSv1.3

# Enable BCP-003-01 recommended ciphers
SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-CBC-SHA256:ECDHE-ECDSA-AES256-CBC-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-CBC-SHA256:ECDHE-RSA-AES256-CBC-SHA384:DHE-RSA-AES128-CBC-SHA256:DHE-RSA-AES256-CBC-SHA256:ECDHE-ECDSA-AES128-CCM8

# Enable OCSP stapling
SSLUseStapling on
		
# Enable HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=154656000"
Clone this wiki locally