Undoubtedly, you will have heard about the weaknesses of old SSL and TLS protocol versions and ciphers. Web browsers have been updated; but the server administrators are left alone: For stability reasons, many run long-term support editions such as Ubuntu 12.04 LTS. Even without that, most will stick to the reliability of Apache 2.2, hesitant to upgrade to 2.3 or 2.4 with their manifold changes. TLS Interposer can help you make your trusty Apache 2.2 on par with the most secure web server.
- TLS Interposer
- Eliminate BEAST, CRIME, Lucky13, RC4, SSLv3 weaknesses from binary/legacy applications
- Upgrading Apache 2.2 OpenSSL security with TLS Interposer
- Upgrade ejabberd to the latest TLS security [UPDATE#2, 2014-06-05]
- Securing fetchmail with improved TLS parameters
- Using TLS Interposer with OpenSSL 0.9.8g (Debian Lenny)
- Disable client certificate requests for Cyrus IMAP
If you have not installed TLS Interposer yet, please do so now using the TLS Interposer installation instructions.
Assuming Ubuntu 12.04 LTS with at least OpenSSL 1.0.1, you then add the following line to
/etc/apache2/envvars:Other Linux distributions will probably behave similarly
and restart Apache using
/etc/init.d/apache2 restart. This makes sure a new process is started which inherits the newly-set environment variable.
You’re done! Your Apache 2.2 TLS configuration is state of the art! To be sure that everything works as expected, test your site settings with the Qualys SSL Labs SSL Server Tester. It should look somewhat like my results.
I still have the following settings in the Apache configuration:
SSLProtocol ALL -SSLv2 -SSLv3
# SSLCipherSuite settings will be ignored