This will cover securing Apache to TLS1.2 and TLS1.3 only on Secure ciphers, this means that we need to disable all the ciphers considered as weak or insecure.
Protocols previous to TLS1.2 should be disabled because unfortunately they are pretty outdated and riddled with vulnerabilities and exploits
Remember that if you disable protocols when the client is unable to communicate with the server, you will not be able to visit the website your securing, however, this guide will also cover adding a redirect to unsupported ciphers and protocols so traffic will be redirected to an alternative website that will need to support those older protocols, in my example that website is here
First you need to find the Apache2 configuration where you SSL settings are defined for me this is the location
/etc/apache2/sites-enabled/www-blog
This could then be called someone like default-ssl.conf and that will contain all the SSL configuration that Apache uses to serve your website, in this file towards the top you will need to add these variable to secure your Apache so that it only allowed secure protocols and cipher suites to connect as below:
Note : This will need to be added between the <virtualhost> and </virtualhost> as its needs to be in the right section of the code work, if you add it outside these markers it will not work and Apache mail fail to start.
# Load required SSL modules
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule rewrite_module modules/mod_rewrite.so
# SSL Global Context
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder on
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionTickets off
# OCSP Stapling
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Then for additional security we then need to set the HTTP security headers which will tell the server how to secure the web requests from the clients for additional security:
# HTTP Security Headers
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
If you wish to redirect traffic to an alternative website that does not meet the new security requirements then you can add these steps:
Note : Redirect site for my example which is live is https://insecure.a6n.co.uk
# Redirect conditions for SSL/TLS versions
SSLOptions +StrictRequire
# Create environment variables for protocol and cipher detection
SSLOptions +StdEnvVars
# Redirect based on SSL Protocol version
RewriteEngine On
RewriteCond %{SSL:SSL_PROTOCOL} !^TLSv1\.2$ [NC]
RewriteCond %{SSL:SSL_PROTOCOL} !^TLSv1\.3$ [NC]
RewriteRule ^(.*)$ https://upgrade.example.com/outdated-browser [R=301,L]
# Redirect based on unsupported ciphers
SSLRequire %{SSL:SSL_CIPHER} in {"ECDHE-RSA-AES256-GCM-SHA384", \
"ECDHE-ECDSA-AES256-GCM-SHA384", \
"DHE-RSA-AES256-GCM-SHA384", \
"ECDHE-RSA-CHACHA20-POLY1305", \
"ECDHE-ECDSA-CHACHA20-POLY1305", \
"DHE-RSA-CHACHA20-POLY1305", \
"TLS_AES_256_GCM_SHA384", \
"TLS_CHACHA20_POLY1305_SHA256", \
"TLS_AES_128_GCM_SHA256"} \
or redirect "https://insecure.a6n.co.uk"
If you then want to log all this data including protocol and cipher data in a log file then you will need to also add this to the configuration file:
# Log SSL protocol and cipher information
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" ssl_custom
CustomLog logs/ssl_access_log ssl_custom
If you are also hosting this website on the server that you are securing you will also need to add a virtualhost configuration that will allow the insecure connections to the server, unless you redirect includes the fact that the destination server need to support old TLS/SSL protocols:
# Virtual Host for handling redirected traffic
<VirtualHost *:443>
ServerName insecure.a6n.co.uk
SSLEngine on
SSLCertificateFile </path/to/certificate.crt>
SSLCertificateKeyFile </path/to/private.key>
SSLCertificateChainFile </path/to/chain.crt>
# More permissive SSL configuration for outdated clients
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
DocumentRoot /var/www/insecure-data
<Directory /var/www/upgrade-site>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>