2. Apache2.2 - SSL

最後更新: 2016-10-08





設定 SSL Certicate 的位置



# This is your SSL certificate file for your domain

SSLCertificateFile /usr/local/ssl/crt/public.crt


# This is your private key file

SSLCertificateKeyFile /usr/local/ssl/private/private.key



# This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.

SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt




<IfModule mod_ssl.c>
    SSLEngine                 on
    SSLProtocol               -all +TLSv1.2
    SSLCipherSuite            HIGH
    SSLCertificateFile        /var/www/clients/client3/web4/ssl/your_domain.crt
    SSLCertificateKeyFile     /var/www/clients/client3/web4/ssl/your_domain.key
    SSLCertificateChainFile   /var/www/clients/client3/web4/ssl/your_domain.chain


SSL Bundle


It's several certificates grouped together,

that all need to be installed to make sure the one you're trying to use is fully trusted.

SSLCACertificateFile /var/www/clients/your_domain.bundle

(all-in-one file) These are used for Client Authentication.


ISPConfig 建立 Cert. 的過程


在 plugins-enabled/apache2_plugin.inc.php 內有以下一行

exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $key_file 2048");




SSLPassPhraseDialog builtin
( the default where an interactive terminal dialog occurs at startup time just before Apache detaches from the terminal. )
following reuse-scheme (all known Pass Phrases (at the beginning there are none, of course) are tried. )

# 不用人手入 password

SSLPassPhraseDialog exec:/ect/apache2/key.sh      <-- Permission: -rwx------ root root


echo 'your pass phrase'


# stdin, stdout

|/path/to/program [args...]

# two arguments ("servername:portnumber" "RSA | DSA")



Strong Security



# colon-separated cipher-spec string consisting of OpenSSL cipher specifications

# Default: Depends on OpenSSL version (openssl ciphers -v | grep TLSv1.2)

# Accepts strong encryption only

SSLCipherSuite HIGH:!aNULL:!MD5

設定的 value 有

Key Exchange Algorithm: RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman, Secure Remote Password

Authentication Algorithm: RSA, Diffie-Hellman, DSS, ECDSA, or none.

Cipher/Encryption Algorithm: AES, DES, Triple-DES, RC4, RC2, IDEA, etc.

MAC Digest Algorithm: MD5, SHA or SHA1, SHA256, SHA384.


HIGH         # all ciphers using Triple-DES
MEDIUM     # all ciphers with 128 bit encryption
LOW          # all low strength ciphers (no export, single DES)
SSLv3        # all SSL version 3.0 ciphers
TLSv1        # all TLS version 1.0 ciphers
aNULL       # all ciphers using no authentication


# TLSv1.2 Only

# Case-Insensitive
# -all SSLv3 TLSv1 TLSv1.1 TLSv1.2
SSLProtocol -all +TLSv1.2


Apache support 什麼 Version 的 TLS 係要看 OpenSSL library Version.

  • TLSv1.1, TLSv1.2(when using OpenSSL 1.0.1 and later)

# Disable SSLv3

SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2

* CBC-mode ciphers <= POODLE (man-in-the-middle attacks)

# Testing

# tested does not support SSLv3

openssl s_client -connect example.com:443 -ssl3

 -ssl2         - just use SSLv2
 -ssl3         - just use SSLv3
 -tls1_2       - just use TLSv1.2
 -tls1_1       - just use TLSv1.1
 -tls1         - just use TLSv1


140318663390888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
140318663390888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

# Apache 的 Default setting

apache 2.2:

All = "+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2"

# Openssl Version

openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

# 要 OpenSSL 1.0.1  先用到 TLSv1.1 及 TLSv1.2

# 只用 TLS 的 example

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

service httpd configtest

# Server 的要求優先

# Default: off
# normally the client's preference is used.
# If this directive is enabled, the server's preference will be used instead.

SSLHonorCipherOrder  on


Other http Service high security


ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


ssl_protocols = !SSLv2 !SSLv3




SSLProtocol       -All +TLSv1.2


Retrieve a list of the SSL/TLS cipher suites a particular website offers






# Enable compression on the SSL level
# Default: off

SSLCompression on

 * Enabling compression causes security issues in most setups (the so called CRIME attack).



SNI 設定


Unlike SSL, the TLS specification allows for name-based hosts

# an extension to the SSL protocol called Server Name Indication

# include the requested hostname in the first message of its SSL handshake (connection setup).

* The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.

* Apache supports SNI since Version 2.2.12

The first (default) vhost for SSL name-based virtual hosts must include TLSv1 as a permitted protocol

SSLProtocol -all +SSLv3 +TLSv1


# Ensure Load Module
LoadModule ssl_module modules/mod_ssl.so

# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# off: Go ahead and accept connections for these vhosts
# on: non SNI clients are not allowed to access any name based virtual host belonging to 
#     this IP / port combination
SSLStrictSNIVHostCheck off


<VirtualHost *:443>
        DocumentRoot "/home/virtualhosts/???/public_html"
        ServerName x.x.x:443
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLProtocol -all +SSLv3 +TLSv1
        SSLCertificateFile /etc/httpd/conf.d/ssl/???.crt
        SSLCertificateKeyFile /etc/httpd/conf.d/ssl/???.key
        SSLCertificateChainFile /etc/httpd/conf.d/ssl/???.ca.chain

        <Directory /home/virtualhosts/???/public_html>
                Options Includes FollowSymLinks
                AllowOverride All

        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars

        SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0


Common Log Format

#  defines the nickname "httpslog"

LogFormat  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %r %b" httpslog
CustomLog logs/access_log httpslog

# "\n" for new-line and "\t" for tab

  • %t    Time the request was received
  • %h    Remote host
  • %a    Remote IP-address
  • %r    First line of request
  • %b    Size of response in bytes, excluding HTTP headers.
  • %I    Bytes received, including request and headers
  • %O    Bytes sent, including headers


[30/Sep/2013:12:07:24 +0800] TLSv1 DHE-RSA-AES256-SHA GET /system/image/icon/logo.gif

SNI Support

Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8 (because the support of this feature is not browser version dependent, it depends on SChannel system component which introduced the support of TLS SNI extension, starting from Windows Vista, not XP).


Other Options



SSLOptions [+|-]option

Configure various SSL engine run-time options

StdEnvVars - the standard set of SSL related CGI/SSI environment variables are created.

DOC: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions


Centos 6/7 的 tips


在 centos 上的 httpd 要另外安裝 mod_ssl 後才支援 https