SRG

SCSIraidGURU’s World

Apache 2 : Apache HTTP Server Project

table Release – Latest Version:

This will put the repository to get to the latest version of Apache 2.

sudo add-apt-repository ppa:ondrej/apache2
sudo apt update
sudo apt install apache2

Enable SSL on Apache2

sudo a2enmod ssl
sudo a2enmod headers

sudo a2enmod authz_core authz_host access_compat socache_shmcb slotmem_shm socache_dbm


sudo service apache2 restart

See sections on OCSP Stapling and DNS CAA for more information.

Final sites-available configuration file

<IfModule mod_ssl.c>
# OCSP Stapling
SSLCryptoDevice dynamic
SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
SSLSessionCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_scache(512000)

Mutex file:/var/log/apache2/wp.scsiraidguru.com/ ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin

<VirtualHost *:443>
ServerName wp.scsiraidguru.com
ServerAdmin mike.mckenney@scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com
DocumentRoot

SSLEngine On
SSLCertificateFile
SSLCertificateKeyFile
SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
SSLOpenSSLConfCmd DHParameters “/etc/apache2/ssl/dhparams.pem”
SSLOCSPEnable on
SSLUseStapling on
SSLOCSPResponseMaxAge 900
SSLOCSPResponseTimeSkew 300
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined

</VirtualHost>

<VirtualHost *:80>
ServerName wp.scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com
</VirtualHost>

## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2

SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

## Permission for our DocumentRoot ##
<Directory /var/www/wp.scsiraidguru.com/public_html>
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

SSL Labs.com rating for this site

Testing TLS_FALLBACK_SCSV

My servers only support tls1.2 and tls1.3.  They can’t fall back to TSL1.1 or earlier.  I found this string from that tests for it.  

openssl s_client -connect wp.scsiraidguru.com:443 -fallback_scsv -no_tls1_2
CONNECTED(00000003)
140092949538112:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 134 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1590750080
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no


SSL alert number 70 is The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.