How to enable SSL/TLS under Apache Web Server
This article presents a minimal configuration for how to enable the Apache SSL/TLS. You can use this article as a base for extending your configurations after you read the Apache Web Server documentation.
A sample configuration for Apache 2.4 SSL/TLS
This article is intended to simply explain how to configure SSL/TLS for Apache Web Server. You are strongly encouraged to read the rest of the
SSL documentation
, and arrive at a deeper understanding of the material, before progressing to the advanced techniques.Configuration Hints:
- to create an SSL server which accepts strong encryption only set the SSLCipherSuite like below:
SSLCipherSuite HIGH:!aNULL:!MD5
- another way is to specify a preference for specific speed-optimized cipher like setting the SSLCipherSuite and the SSLHonorCipherOrder as follows:
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on
- OCSP Stapling: The Online Certificate Status Protocol (OCSP) is a mechanism for determining whether or not a server certificate has been revoked ; Once general SSL support has been configured properly, enabling OCSP Stapling generally requires only very minor modifications to the httpd configuration:
SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
- if more than a few SSL certificates are used for the server OCSP responses are stored in the SSL stapling cache ; while the responses are typically a few hundred to a few thousand bytes in size, mod_ssl supports OCSP responses up to around 10K bytes in size ; with more than a few certificates, the stapling cache size (32768 bytes in the example above) may need to be increased ; error message AH01929 will be logged in case of an error storing a response
- if multiple SSL-enabled virtual hosts are configured and OCSP Stapling should be disabled for some Add
SSLUseStapling Off
to the virtual hosts for which OCSP Stapling should be disabled - mod_ssl can log extremely verbose debugging information to the error log, when its LogLevel is set to the higher trace levels ; on the other hand, on a very busy server, level info may already be too much ; remember that you can configure the LogLevel per module to suite your needs
Sample Apache Configuration: Enable the SSL Module and Include SSL Configuration in Apache main configuration
## Sample Configuration for Apache HTTP Server v 2.4 @ /etc/apache2/httpd2.conf
## Add the following directives to the apache main configuration
# ...
LoadModule ssl_module modules/mod_ssl.so
# ...
Include /etc/apache2/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# ...
# END
Sample Apache SSL configuration using mod_ssl
## Sample (minimal) Configuration for Apache HTTP Server v 2.4 @ /etc/apache2/extra/httpd-ssl.conf
## (c) 2020 w3soft.org
Listen 443
SSLCipherSuite HIGH:MEDIUM
SSLProxyCipherSuite HIGH:MEDIUM
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "memcache:127.0.0.1:11211"
SSLSessionCacheTimeout 720
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/htdocs"
ServerName localhost:443
ServerAdmin admin@localhost
ErrorLog "/var/www/logs/error_log"
TransferLog "/var/www/logs/access_log"
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile "/etc/apache2/cert.pem"
SSLCertificateKeyFile "/etc/apache2/cert.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/www/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
## END