current 2013 bullet proof SSL config

Now in December 2013 the best available SSL config with a 4096 bit RSA Key and httpd Apache 2.4.7 with OpenSSL/1.0.1e.

SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On

YES Windows XP is no longer supported with this. But for me there is no more need to do so.

ssl test lab result

The SSL Test Lap Test shows a very good result. The Cipher Strength is at 100%. So any browser will use a 256 bit encrypted connection to that server.

Compling Apache 2.4 on Ubuntu or Debian

tar xvfz httpd-2.4.2.tar.gz
tar xvfz httpd-2.4.2-deps.tar.gz
cd httpd-2.4.2/srclib
tar xvfz apr-iconv-1.2.1.tar.gz
mv apr-iconv-1.2.1 apr-iconv
tar xvfz zlib-1.2.7.tar.gz
mv zlib-1.2.7 zlib
tar xvfz pcre-8.21.tar.gz
mv pcre-8.21 pcre
tar xfz openssl-1.0.1.tar.gz
cd openssl-*
./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared
make test
sudo make install
cd ../..
./configure --prefix=/opt/apache2 --enable-pie --enable-mods-shared=all --enable-so --disable-include --enable-deflate --enable-headers --enable-expires --enable-ssl=shared --enable-mpms-shared=all --with-mpm=event --enable-rewrite --with-z=/home/mario/apache24/httpd-2.4.2/srclib/zlib --enable-module=ssl --enable-fcgid --with-included-apr
sudo make install
cd ..
tar xvfz mod_fcgid-2.3.7.tar.gz
cd mod_fcgid-*
APXS=/opt/apache2/bin/apxs ./configure.apxs
sudo make install

For using PHP install php-cgi

add httpd.conf

FcgidMaxProcesses 50
FcgidFixPathinfo 1
FcgidProcessLifeTime 0
FcgidTimeScore 3
FcgidZombieScanInterval 20
FcgidMaxRequestsPerProcess 0
FcgidMaxRequestLen 33554432
FcgidIOTimeout 120

in each vhost

Options Indexes ExecCGI
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php

Apache 2.4.x Better than rewriting

With httpd Apache 2.4.x is is more simple to do stuff than with 2.2.x

Like forcing the www. in front of a domain. Apache now supports the If Elseif Else :-) Pretty nice!
Light example

<If "$req{Host} != ''">
    RedirectMatch (.*)$1

Easy, isn’t it?

A bit more old fashion way, so you can use the %{bla} stuff you already know.

<If "%{HTTP_HOST} == ''">
Redirect permanent /

Also nice is the Define Directive.

OK you have to start apache with the -D parameter. Like httpd -D TEST

<IfDefine TEST>
Define servername
<IfDefine !TEST>
Define servername
Define SSL

If you have some example, please let me know!

mod_dav_svn from subversion 1.7.x does not build against apache 2.4

Since the API in Apache 2.4.x has changed the mod_dav_svn module from svn doesn’t build currently. I made patch for that. There is only a small issue in subversion/mod_dav_svn/util.c

Index: util.c
--- util.c    (revision 1299310)
+++ util.c    (working copy)
@@ -627,8 +627,14 @@
         if (errscan->desc == NULL)

-        if (errscan->save_errno != 0) {
+#if AP_MODULE_MAGIC_AT_LEAST(20091119,0)            
+        if (errscan->aprerr != 0) {
+            errno = errscan->aprerr;
+        if (errscan->save_errno != 0) {
             errno = errscan->save_errno;
             ap_log_rerror(APLOG_MARK, level, errno, r, "%s  [%d, #%d]",
                           errscan->desc, errscan->status, errscan->error_id);

Now it compiles against Apache 2.2 and Apache 2.4


Any feedback is welcome.

mod_fcgid is crashing apache windows and linux

With apache 2.3.15 I had kinda  the same issue with mod_fcgidon ubuntu 8.04 as on windows.  With -k restart or -k graceful the server did not die like on windows, but the server delivered than only a 200 OK response header, but nothing more. Switching from worker mpm to event mpm seemed to solve this, but the server died later :-/

Since it has talmost the same issues like on windows I could make a patch that fixes this. Grab the patch (patched against trunk) for the patch for 2.3.6

The bug 50309 is now longer than a year listet. Bad that none applied it yet.

Secure apache against CVE-2011-3389 aka Beast attack

During the summer rumours about a new attack against SSL started circulating (CVE-2011-3389).
As it turns out, the attack itself was conceived years ago, deemed impractical, but it was nevertheless fixed in TLS 1.1. The new attack technique introduced a few optimizations to make it practical.

In terms of mitigation, I expect this problem will be largely addressed on the client side, despite a potential compatibility problem that may cause some TLS sites to stop working.

With this config you can avoid that attack.

SSLProtocol all -SSLv2
SSLHonorCipherOrder On

#NO Longer needed cause since IE 7 this works ;) 
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

With OpenSSL 1.0.1 it must be


Archive for category apache

Archives by Month: