Hardening SSL in Apache 2.x

The following configuration directives will disable weak ciphers and versions vulnerable to known attacks such as POODLE.

CentOS/RHEL

  • /etc/httpd/conf.d/ssl.conf

Debian/Ubuntu 

  • /etc/apache2/mods-available/ssl.conf
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

The available ciphers depend on the version of OpenSSL used, not on the version of Apache.

openssl ciphers -v

Qualys Labs has a comprehensive SSL test for scanning your site