Tune SSL on Apache 2.4/Windows

Today I spent some time to tune Apache SSL settings to be Grade A at https://www.ssllabs.com/ssltest/.
Finding the equilibrium point between compatibility and transport security took some time. To save yours, I'm sharing the final configuration here.

Some notes at first. I favored security over backward compatibility and so some older (very old in fact) browsers will fail to establish connection. I tried to cope with all failed tests, but not succseeded. There stil are some Failed tests. Those tests are not affecting the main purpose of the server.

1. Download and install the latest Apache 2.4 binaries to overcome known CVE
2. I'm using http://www.startssl.com/ as the server certification authority.
3. Tune SSL Protocol and Ciphersuites and some others at a server level (httpd.conf)
1. SSLProtocol all -SSLv2 -SSLv3
2. SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
3. SSLHonorCipherOrder on
4. SSLUseStapling On
5. SSLStaplingCache shmcb:logs/ssl_stapling(32768)
4. Add HTTP Strict Transport Security
1. Enable headers module: 
1. LoadModule headers_module modules/mod_headers.so
    
2. Set header to require HSTS at the VirtualHost level
1. Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

And you are done.

.. Apache XML Security v 1.4.3 and Java 6

It is not easy to get this combination up and running. Java 6 contains XML Signature implementation (JCP105). The implementaion is based on XML Signature Syntax and Processing v1.0. This version does not contain strong SHA-2 message digest function family. This family is supported in v1.1 of the spec. The v.1.1 is a draft at this time. If you want to use strong digest algorithm you have to override default XML Sig implementation by installing Apache XML Security package. The packages have to be installed into endorsed directory of your JRE. There sill remains several drawbacsk. Here they are:

1. SHA-2 digest family is supported in a standard way but the constants are hidden inside internal class hierarchy


2. commons-logging fails to initialize due to modified behavior of JRE6 which uses. The chain of commands:this.getClass().getClassLoader() surprisingly returns null as the class from endorsed dir is loaded by bootstrap classloader.

Problem 1) can be slolved by using either strings copied directly from the spec. or by using e.g. org.apache.xml.security.signature.XMLSignature.ALGO_ID_MAC_HMAC_SHA256 constant.

Problem 2) is solved by replacing commons-logging included in XMLSig distribution by newest one (1.1.1) from commons-logging homepage.