Introduction
induced by the recent heartbleed disaster, I stumbled over this fine ssl test site:
https://www.ssllabs.com/ssltest/
With its help I found out that the standard openSUSE 13.1 config for apache HTTPS that I used is not as secure as it could be.
The standard settings basically mean that If someone stored the communication to my site and got my server key via a heartbleed attack he can now decipher everything he got in the past.
The more secure settings below, that come with only a small performance penalty would have prevented this. All an attacker could have got was the traffic since his heartbleed attack.
Prerequisite
A running apache with working SSL configuration on openSUSE 13.1. I don’t expect it to be very different on other versions or even distros, but expect minor differences.
Implementation
The implementation is very easy. Just find these variables in your apache configuration and replace existing and add missing values.
If you use standard openSUSE 13.1 config like me then you will need to replace SSLProtocol in /etc/apache2/vhosts.d/vhost-ssl.conf and add the other two in the same file.
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Now restart apache and you are done.
Background
The above settings enable a feature called “Forward Secrecy”.
Please use the above mentioned site for background info on this or for newer and better versions of the configuration. I am by no means an expert on this.