Finding a secure and compatible Apache configuration that is dealing with all the nice vulnerabilities in SSL and TLS handling is not an easy task. I always try to use an optimal configuration for my Apache 2.2. There are many threads in the Internet, but often the recommendations there don’t work, because they are for Apache 2.4 or outdated. Often it is hard to find out, which version of Apache is dealt with in such a thread. Anyway, it might be helpful for others, so here is my configuration that gets an A+ at SSL Labs. It works with Apache 2.2.29.

1
2
3
4
5
6
7
8
9
LoadModule headers_module modules/mod_headers.so

SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLInsecureRenegotiation Off
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!EDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"