The Apache HTTP Server team cannot determine these things for you. For the purposes of this document, which was last updated in mid-2016, 'strong encryption' refers to a TLS implementation which provides all of the following, in addition to the basic confidentiality, integrity, and authenticity protection that most users already expect. A tutorial on how to add an extra layer of security to your Apache web server by installing an SSL certificate onto the server (plus the few required commands). HttpClient provides full support for HTTP over Secure Sockets Layer (SSL) or IETF Transport Layer Security (TLS) protocols by leveraging the Java Secure Socket Extension (JSSE). JSSE has been integrated into the Java 2 platform as of version 1.4 and works with HttpClient out of the box.
The Online Certificate Status Protocol (OCSP) is a mechanism fordetermining whether or not a server certificate has been revoked, and OCSPStapling is a special form of this in which the server, such as httpd andmod_ssl, maintains current OCSP responses for its certificates and sendsthem to clients which communicate with the server. Most certificatescontain the address of an OCSP responder maintained by the issuingCertificate Authority, and mod_ssl can communicate with that responder toobtain a signed response that can be sent to clients communicating withthe server.
This document shows how to enable an Apache HTTP server to use SSL on port 443 and non-SSL on port 80. Resolving The Problem To enable port 443 to use SSL while port 80 is non-SSL, do the following (to have a potentially associated WebSphere Application Server accept port 443 read Rochester Support Center document N1013078, How to Enable.
Because the client can obtain the certificate revocation status fromthe server, without requiring an extra connection from the client to theCertificate Authority, OCSP Stapling is the preferred way for therevocation status to be obtained. Other benefits of eliminating the communication between clients and the Certificate Authority are that theclient browsing history is not exposed to the Certificate Authority andobtaining status is more reliable by not depending on potentially heavilyloaded Certificate Authority servers.
Because the response obtained by the server can be reused for all clientsusing the same certificate during the time that the response is valid, theoverhead for the server is minimal.
Once general SSL support has been configured properly, enabling OCSPStapling generally requires only very minor modifications to the httpdconfiguration — the addition of these two directives:
These directives are placed at global scope (i.e., not within a virtualhost definition) wherever other global SSL configuration directives areplaced, such as in
conf/extra/httpd-ssl.conf for normal open source builds of httpd,
/etc/apache2/mods-enabled/ssl.conffor the Ubuntu or Debian-bundled httpd, etc.
The path on the
logs/) should match the one on the
SSLSessionCache directive. This path is relativeto
SSLStaplingCache directive requires
mod_socache_shmcb (from the
shmcb prefix on thedirective's argument). This module is usually enabled already for
SSLSessionCache or on behalf of some module other than
mod_ssl. If you enabled an SSL session cache using a mechanism other than
mod_socache_shmcb, use that alternativemechanism for
SSLStaplingCache as well. For example:
You can use the openssl command-line program to verify that an OCSP responseis sent by your server:
The following sections highlight the most common situations which requirefurther modification to the configuration. Refer also to the
mod_ssl reference manual.
If more than a few SSL certificates are used for the server
OCSP responses are stored in the SSL stapling cache. While the responsesare typically a few hundred to a few thousand bytes in size, mod_ssl supports OCSP responses up to around 10K bytes in size. With more than a few certificates, the stapling cache size (32768 bytes in the example above) may need to be increased. Error message AH01929 will be logged in case ofan error storing a response.
If the certificate does not point to an OCSP responder, or if adifferent address must be used
Refer to the
You can confirm that a server certificate points to an OCSP responderusing the openssl command-line program, as follows:
If the OCSP URI is provided and the web server can communicate to itdirectly without using a proxy, no configuration is required. Note thatfirewall rules that control outbound connections from the web server mayneed to be adjusted.
If no OCSP URI is provided, contact your Certificate Authority todetermine if one is available; if so, configure it with
SSLStaplingForceURL in the virtualhost that uses the certificate.
If multiple SSL-enabled virtual hosts are configured and OCSPStapling should be disabled for some
SSLUseStapling Off to the virtual hosts for which OCSPStapling should be disabled.
If the OCSP responder is slow or unreliable
Several directives are available to handle timeouts and errors. Referto the documentation for the
Apache Http Ssl Maven
If mod_ssl logs error AH02217
In order to support OCSP Stapling when a particular server certificate isused, the certificate chain for that certificate must be configured. If it was not configured as part of enabling SSL, the AH02217 error will be issuedwhen stapling is enabled, and an OCSP response will not be provided for clientsusing the certificate.
Refer to the
SSLCertificateFile for instructionsfor configuring the certificate chain.
All the SSL and TLS versions older than 1.2 are having lots of known vulnerabilities like POODLE (CVE-2014-3566), That’s why the latest browsers have removed support for these vulnerable protocols. We also recommend moving your server to use TLS versions and specifically to TLS 1.2. This tutorial will help you to enable TLS 1.2 and TLS 1.3 in mod_ssl and Apache servers.
To enable TLS 1.3 you must have Apache version 2.4.38 or higher on your system. Also search for the SSL virtual host configuration file your system.
Generally Debian based systems have there files under /etc/apache2/sites-enabled directory.
And the Redhat (RPM) based system have there configuration in /etc/httpd/conf/httpd.conf file or a sperate file under /etc/httpd/conf.d directory.
Enable TLS 1.2 only in Apache
First, edit the virtual host section for your domain in the Apache SSL configuration file on your server and add set the SSLProtocol as followings. This will disable all older protocols and your Apache server and enable TLSv1.2 only.
The minimal Apache virtual host with SSL looks like:
Enable TLS 1.3 & 1.2 Both in Apache
The Apache version 2.4.38 or higher versions support TLS v1.3. You must upgrade Apache packages before enabled TLS 1.3 in SSL settings.
The simplest Apache VirtualHost with SSL looks like below
Apache Enable Ssl
After making changes in your configuration file, restart the Apache service to apply new settings.