Configuring an Apache Server with SSL/TLS Hardening
Table of Contents
In this article, we will explore how to configure an Apache server with SSL/TLS and implement security hardening measures.
SSL/TLS Certificate Setup
Installing OpenSSL
Install OpenSSL on your Apache server:
sudo apt-get install openssl
Creating SSL Certificate Directory
Create a directory for SSL certificate files:
sudo mkdir /etc/ssl/webserver.kikoo.lol
Generating a Self-Signed Certificate
Generate a self-signed certificate:
sudo openssl req -new -x509 -keyout /etc/ssl/webserver.kikoo.lol/Ma+super+CA.key -out /etc/ssl/webserver.kikoo.lol/Ma+super+CA.crt -days 365 -nodes
Generating an SSL Certificate for Your Server
Generate an SSL certificate for your server:
sudo openssl req -new -nodes -out /etc/ssl/webserver.kikoo.lol/mon+super+certificat.csr -keyout /etc/ssl/webserver.kikoo.lol/mon+super+certificat.key
Signing the SSL Certificate with Your CA Certificate
Sign the SSL certificate with your CA certificate:
sudo openssl x509 -req -in /etc/ssl/webserver.kikoo.lol/mon+super+certificat.csr -CA /etc/ssl/webserver.kikoo.lol/Ma+super+CA.crt -CAkey /etc/ssl/webserver.kikoo.lol/Ma+super+CA.key -CAcreateserial -out /etc/ssl/webserver.kikoo.lol/mon+super+certificat.crt -days 365
Apache SSL Configuration
Configuring Apache to Use SSL
Edit the Apache configuration file (/etc/apache2/ports.conf) to add the following directive:
Listen 443
Creating HTTPS Virtual Host
Edit the Apache configuration file (/etc/apache2/sites-available/https.conf) to add the following directives:
<VirtualHost *:443>
ServerName webserver.kikoo.lol
SSLEngine on
SSLCertificateFile /etc/ssl/webserver.kikoo.lol/mon+super+certificat.crt
SSLCertificateKeyFile /etc/ssl/webserver.kikoo.lol/mon+super+certificat.key
SSLCACertificateFile /etc/ssl/webserver.kikoo.lol/Ma+super+CA.crt
</VirtualHost>
Enabling the HTTPS Site
Enable the new website and disable the default site:
sudo a2ensite https
sudo a2dissite 000-default
Configuring SSL/TLS Protocols and Ciphers
Configure Apache to use only TLSv1.2 and TLSv1.3 protocols:
sudo nano /etc/apache2/mods-available/ssl.conf
Add the following lines to this file:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM:ECDHE-ECDSA-AES128-GCM:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256
Restarting Apache
Restart Apache for the changes to take effect:
sudo service apache2 restart
Local DNS Configuration
Editing the /etc/hosts File
To add the domain name, open the /etc/hosts file in edit mode:
sudo nano /etc/hosts
Add the domain name and its IP (for example 127.0.0.1 for a local server):
127.0.0.1 localhost webserver.kikoo.lol
Save and close the file.
Note: If you are in production, you must use the server’s public IP instead of
127.0.0.1.
Verifying SSL Configuration
- Access your server via https://webserver.kikoo.lol .
- Verify that you get a valid SSL certificate with the information from the self-signed certificate or the certificate provided by the CA.
SSL/TLS Hardening
I have already configured my Apache server to disable SSLv2 and SSLv3 and use strong ciphers to secure SSL/TLS exchanges.
Now, I will add the implementation of HSTS (HTTP Strict Transport Security) and OCSP (Online Certificate Status Protocol).
HSTS (HTTP Strict Transport Security)
HSTS is an HTTP header that tells the browser to send requests to this site only via HTTPS and not HTTP. This prevents connection interception attacks.
Enabling HSTS on Apache
To enable HSTS on Apache, add the following lines to your Apache configuration file:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
The max-age option defines the validity period of the HSTS header in seconds. includeSubDomains extends HSTS to all subdomains.
OCSP Stapling Cache
OCSP (Online Certificate Status Protocol) is a protocol that allows checking the revocation of an SSL/TLS certificate in real-time. However, this process can significantly slow down the SSL/TLS connection.
Stapling cache is a feature that allows storing the OCSP response in the server’s cache so that it no longer needs to be verified on each connection. This maintains the security of revocation verification while improving performance.
Enabling OCSP Stapling on Apache
To enable stapling cache on Apache, add the following lines to your Apache configuration file:
SSLUseStapling on
SSLStaplingCache shmcb:/var/run/ocsp(128000)
The SSLUseStapling option enables the stapling cache. The SSLStaplingCache option defines the location and size of the cache.
Applying Changes
To apply the modifications to the Apache server, restart the Apache service with the following command:
systemctl restart apache2
# or
service apache2 restart
In conclusion, adding HSTS and OCSP stapling cache strengthens the security of my SSL/TLS server on Apache.
Vulnerabilities Mitigated
With this hardening, we have mitigated the following attacks:
POODLE Attack Vulnerability
The POODLE attack (Padding Oracle On Downgraded Legacy Encryption, CVE-2014-3566 ) is a man-in-the-middle (MITM) type exploit that allows an attacker to decrypt selected content from an SSL session.
Variations of the POODLE attack affect TLS because during an active MITM attack, an attacker can force the browser to downgrade the session to SSLv3, which can then be exploited.
BEAST Attack Vulnerability
The BEAST attack, reported as CVE-2011-3389 , exploits a weakness in the CBC (cipher-block chaining) encryption of SSL/TLS, allowing a MITM attacker to recover certain session information, such as cookie data, from a connection that should have been a secure connection.
SWEET32 Attack Vulnerability
The SWEET32 attack (assigned as CVE-2016-2183 ) exploits a collision attack to extract plaintext from encrypted data in an SSL/TLS session, when using 64-bit block cipher suites with CBC encryption mode.
SSLStrip Attack Vulnerability
The operation of SSLStrip is simple: replace all HTTPS requests on a web page with HTTP and then perform a MITM attack, which allows an attacker to obtain HTTP data in plaintext on the network, useful for Phishing attacks for example. HSTS prevents this because no insecure connection can be established.
Note: Regarding OCSP, I do not fully understand what is explained in the source, so I cannot explain how we mitigated the DDoS attacks mentioned through OCSP stapling.