Securing Apache - Fedora/CentOS/SUSE/RedHat

Step 3a - Perfect Forward Secrecy (PFS) - Cipher Suites - Mandatory Step!!!

You can alter the cipher suite in order to achieve the preference and order of the ciphers you wish to use. If you desire to make clients follow the preferred order, then SSLHonorCipherOrder will need to be turned to on. When the SSLHonorCipherOrder is on, clients will connect by the following cipher list. Mozilla has a great config generator for this!

You can remove the use of 128 bit ciphers to only use 256 bit, or remove 256 bit ciphers to only use 128 bit ciphers - add at the end of SSLCipherSuite :!AES128 or :!AES256 to remove the respective AES ciphers. You can remove 256 bit ciphers without much issue. Removing 128 bit and only using 256 bit ciphers locks you in to TLSv1.2 and drops support for older clients. Removing the 128 bit ciphers does get a 100% score on the tests. The config presented here does not drop support for either to ensure maximum audience for our site while remaining secure.

Example:

SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:........"

The first two entries are Elliptic Curve using GCM (no preference order): EECDH+ECDSA+AESGCM, then RSA using GCM (no preference order): EECDH+aRSA+AESGCM. A client will try to negotiate in order of our preference we list here. The preference is for Elliptic Curve using GCM, followed by RSA using GCM, Elliptic Curve using SHA384 (EECDH+ECDSA+SHA384), Elliptic Curve using SHA256 (EECDH+ECDSA+SHA256), RSA using SHA384 (EECDH+aRSA+SHA384), RSA using SHA256 (EECDH+aRSA+SHA256), and so on down the list of ciphers. BTW the Cipher list has options: + can be used for generalizing the specification of cipher suites, as in the example for the first cipher (EECDH+ECDSA+AESGCM), we do not specify 128 or 256 bit nor sha 256 or 384. You can use the - sign for specifying the exact cipher or spec you want to use ie (ECDHE-RSA-AES256-GCM-SHA384)

The options are whatever you desire as long as your intended audience can use those ciphers to connect to your application or site. You can add Camellia, CHACHA20 (ECDHE+ECDSA+CHACHA20+POLY1305: ECDHE+RSA+CHACHA20+POLY1305:), or anything else in the cipher list, but the procedure uses our preference which works with most clients while remaining secure. We only use TLSv1.2 & TLSv1.3 in the procedure (Fully mitigate BEAST). Think about what other ciphers you desire to add if you remove these ciphers. Unless you are an admin and understand the implications, I would not recommend it.

Global use of the Cipher Suites for all sites using Apache (Preferred Method)

nano /etc/httpd/conf.d/ssl.conf

Make the following changes to the ssl.conf

SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!SHA1:!SHA256:!SHA384:!MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED:!CAMELLIA"
SSLHonorCipherOrder on
SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Restart Apache

systemctl restart httpd

Local use in the Apache Website config file (Alternative)

Add the sections in blue to the file

nano /etc/httpd/conf.d/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com
        ServerName EXAMPLE.com
        ServerAlias www.EXAMPLE.com
        DocumentRoot /var/www/html/EXAMPLE
        DirectoryIndex index.html
        LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!MEDIUM:!RC4:aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED:!CAMELLIA"
SSLHonorCipherOrder on
SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2

    </VirtualHost>
</IfModule>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Restart Apache

systemctl restart httpd