After recently reading a number of SSL/TLS-related articles, I decided to experiment and look for the ideal OpenSSL configuration for Apache (using mod_ssl since I haven’t tried mod_gnutls yet) and nginx.
By “ideal” I mean that this configuration needs to be compatible with most user agents likely to interact with my website as well as being fast and secure.
Here is what I came up with for Apache:
and for nginx:
Cipher and protocol selection
In terms of choosing a cipher to use, this configuration does three things:
- disables all weak ciphers and protocols
- disables very slow ciphers that use ephemeral Diffie-Hellman exchanges
- gives priority to the RC4 cipher to minimize CPU usage and defend against the BEAST attack
Of course, you’ll want to make sure that your configuration works in common browsers, but you should also test with tools like wget, curl and httping. Many of the online monitoring services are based on these.
To increase the performance and security of your connections, you should ensure that the following features are enabled:
- SSL session caching with a session store shared between all of your web servers
- HSTS headers to let browsers know that they should always visit your site over HTTPS