Most common way we did this was in the Virtual host directive for the SSL side of the site, was to declare what is and is not allowed. Plenty of docs on this out there but here is ours:
SSLEnable SSLProtocolDisable SSLv2 SSLv3 SSLCipherSpec ALL NONE SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256 SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384 SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256 SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256 SSLClientAuth 0 [cid:image003.jpg@01D2A92C.A6E3D550] Don Abernathy Group Manager- Web Services T: 617-954-4127 MFS Investment Management 111 Huntington Ave, Boston, MA 02199 From: Chunduru, Krishnachaithanya [mailto:krishnachaithanya.chund...@broadridge.com] Sent: Friday, March 17, 2017 10:37 AM To: users@httpd.apache.org Subject: [users@httpd] Enabling Forward secrecy on SSL Hi All, Can someone advise me on how to achieve the below on a server running with Apache SSL enabled. * SSL - Supports Weak Encryption The following protocols should be switched on - TLS 1.2, TLS 1.1, TLS 1.0. SSL 3 and SSL 2 should be disabled. * Weak Configuration - SSL/TLS - Deprecated Protocol: Disable the use of SSL 2.0 and 3.0 as well as TLS 1.0. Use TLS 1.1, 1.2, or later and set the latest protocol as preferred. * The Server Does Not Support Forward Secrecy : Regards, Krishna This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. MFS Email system made the following annotation --------------------------------------------------------------------------------------------------------------------------------------- This email communication and any attachments may contain proprietary, confidential, or privileged information. If you are not the intended recipient, you are hereby notified that you have received this email in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. The sender does not waive confidentiality or any privilege by mistransmission. If you have received this email in error, please notify the sender immediately, delete this email, and destroy all copies and any attachments.
