mod_ssl (Apache SSL Module)

mod_ssl is an Apache module that provides SSL (Secure Sockets Layer) and TLS (Transport Layer Security) support to the Apache HTTP Server, enabling secure communication over HTTPS.

Installing mod_ssl

On most Linux distributions, mod_ssl can be installed using the package manager.

For RHEL/CentOS:

sudo yum install mod_ssl

For Debian/Ubuntu:

sudo apt-get install libapache2-mod-ssl

After installation, the module should be enabled automatically. If not, you can enable it manually.

For Debian/Ubuntu:

sudo a2enmod ssl
sudo systemctl restart apache2

Configuring mod_ssl

The configuration for mod_ssl is typically found in the /etc/httpd/conf.d/ssl.conf file for RHEL/CentOS or /etc/apache2/sites-available/default-ssl.conf for Debian/Ubuntu.

Key Directives in SSL Configuration

1. LoadModule Ensure the SSL module is loaded:

LoadModule ssl_module modules/mod_ssl.so

2. Listen Specify the port for HTTPS traffic:

Listen 443

3. SSL Engine Enable SSL for the server:

SSLEngine on

4. SSLCertificateFile Specify the path to the server's SSL certificate:

SSLCertificateFile /etc/pki/tls/certs/server.crt

5. SSLCertificateKeyFile Specify the path to the server's private key:

SSLCertificateKeyFile /etc/pki/tls/private/server.key

6. SSLCertificateChainFile If using an intermediate certificate, specify its path:

SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

7. SSLCACertificateFile Specify the path to the CA certificate if client authentication is required:

SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Example SSL Virtual Host Configuration

<VirtualHost _default_:443>
    ServerAdmin webmaster@example.com
    DocumentRoot "/var/www/html"
    ServerName www.example.com:443

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    SSLCertificateKeyFile /etc/pki/tls/private/server.key
    SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Enabling and Testing SSL Configuration

Step 1: Enable the SSL Virtual Host For Debian/Ubuntu:

sudo a2ensite default-ssl
sudo systemctl reload apache2

For RHEL/CentOS, ensure that the ssl.conf file in /etc/httpd/conf.d/ is properly configured and included in the main configuration.

Step 2: Restart Apache

sudo systemctl restart httpd  # For RHEL/CentOS
sudo systemctl restart apache2  # For Debian/Ubuntu

Step 3: Verify the Configuration You can verify your SSL configuration using various tools:

• OpenSSL Command Line:

  openssl s_client -connect www.example.com:443

• Online SSL Test Services: Use tools like SSL Labs' SSL Test to analyze your SSL configuration.

Security Enhancements

1. Enforce Strong Protocols Disable older protocols like SSLv2 and SSLv3, and only allow strong protocols like TLSv1.2 and TLSv1.3:

SSLProtocol all -SSLv2 -SSLv3

2. Use Strong Ciphers Specify strong ciphers to prevent weak encryption:

SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

3. Enable HSTS HTTP Strict Transport Security (HSTS) forces clients to only interact with the server over HTTPS:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

4. OCSP Stapling OCSP stapling improves the performance of certificate status verification:

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache "shmcb:logs/stapling_cache(128000)"

Conclusion

mod_ssl is a crucial module for enabling secure HTTPS communication on the Apache HTTP Server. By properly configuring httpd.conf and ssl.conf, you can ensure that your web server handles SSL/TLS traffic efficiently and securely. This includes loading the required modules, setting up the SSL virtual hosts, and applying security enhancements like strong protocols and ciphers, HSTS, and OCSP stapling.