Httpd SSL Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 127: Line 127:
* Protect against the [[POODLE Attack]].
* Protect against the [[POODLE Attack]].
* Disable support for [[RC4 Cipher]]
* Disable support for [[RC4 Cipher]]
* Support Forward Secrecy with the reference browsers. See
* Support [[Forward Secrecy]] with the reference browsers.

Revision as of 01:12, 7 January 2016




In order to protect a web site with SSL, you will need to make sure mod_ssl is available and functional, then create a virtual host that listens on port different from the non-SSL protected sites (usually 443), turn the SSLEngine on for that virtual host, and specify the paths to the certificate and the private key.


Install mod_ssl and openssl

yum install mod_ssl
yum install openssl

By default, this ends up installing in /etc/httpd/modules. It also creates the default SSL configuration file ssl.conf in /etc/httpd/conf.d.


ssl.conf must be included. Usually the main httpd.conf configuration file contains an "include all conf.d" line:

IncludeOptional conf.d/*.conf

which should take care of ssl.conf inclusion. More about IncludeOptional.

If not present, explicitly add the following Include directive above the virtual host area:

Include conf.d/ssl.conf

ssl.conf contains the configuration of a default secure virtual host, and the custom secure virtual hosts should be added under it. See Secure Virtual Hosts


Restrict the secure server to listen to a specific, dedicated interface by specifying it in ssl.conf Listen:

Listen https

Note that the main configuration file might still contain a "Listen" directive for port 80. This is fine if your web server still wants to serve unsecured pages, multiple Listen directives are legal.

More details about Listen are available here Listen.

Log Location

By default, the SSL logs level and location is different:

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

Secure Virtual Hosts

Add custom secure virtual hosts at the bottom of ssl.conf:

    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/"
    SSLCertificateKeyFile "/etc/pki/tls/private/"
    SSLCertificateChainFile "/etc/pki/tls/certs/"
    DocumentRoot "/var/www/"

GoDaddy certificate installation instructions:

Site Private Key

Place the private key under /etc/pki/tls/private.

Name it <secure-site-FQN>.key. Example:

Make it available to apache:apache and only it:

chown apache:apache
chmod go-rwx

Site Certificate

Place the certificate file under /etc/pki/tls/certs.

Name it <secure-site-FQN>.crt. Example:

Site Chain/Intermediate Certificate

Most trusted certificates require that you install at least one other intermediate/chain certificate on the server, to link your certificate up to the trusted source. For example, the GoDaddy-issued certificates require that.

Place the intermediate/chain certificate file under /etc/pki/tls/certs.

Name it <secure-site-FQN>-godaddy-chain.crt. Example:

Specify the path to the certificate chain under the corresponding secure virtual host as:

       SSLCertificateChainFile "/etc/pki/tls/certs/"

Note that for Apache 2.4.8 and higher you need to use SSLCACertificatePath instead.

Test Certificate

Use all of below. Testing is a good idea, test may reveal weaknesses and vulnerabilities. If everything was installed correctly, the checks should be successful.

Other Details