Finding the equilibrium point between compatibility and transport security took some time. To save yours, I'm sharing the final configuration here.
Some notes at first. I favored security over backward compatibility and so some older (very old in fact) browsers will fail to establish connection. I tried to cope with all failed tests, but not succseeded. There stil are some Failed tests. Those tests are not affecting the main purpose of the server.
- Download and install the latest Apache 2.4 binaries to overcome known CVE
- I'm using http://www.startssl.com/ as the server certification authority.
- Tune SSL Protocol and Ciphersuites and some others at a server level (httpd.conf)
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
- SSLHonorCipherOrder on
- SSLUseStapling On
- SSLStaplingCache shmcb:logs/ssl_stapling(32768)
- Add HTTP Strict Transport Security
- Enable headers module:
- LoadModule headers_module modules/mod_headers.so
- Set header to require HSTS at the VirtualHost level
- Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
