禁用 SSLv2 and SSLv3
SSLProtocol All -SSLv2 -SSLv3
如果Apache 2.2.24+ 以上版本 添加以下代码
SSLCompression off
使用安全的Cipher Suite
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
如果想兼容XP/IE6 ,请使用以下的 Cipher Suite
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
Forward Secrecy & Diffie Hellman Ephemeral Parameters ,如果你用的 Apache 2.4.8以上 OpenSSL 1.0.2 或以上版本,可以运行一下命令
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
然后将以下代码添加到网站配置文件
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
根据你的apache版本不同, 将代码添加到apache的网站配置文件里面, 参考下面的例子
<VirtualHost *:443>
ServerAdmin webmaster@example.com
DocumentRoot "/home/sslaaa"
ServerName www.cheapssl.cn
SSLEngine on
SSLCertificateKeyFile /usr/local/httpd/sslaaa.key
SSLCertificateFile /usr/local/httpd/sslaaa.crt
SSLCertificateChainFile /usr/local/httpd/sslaaa.bundle
####///////////////////SSL安全设置代码 开始//////
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLHonorCipherOrder on
SSLCompression off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
#####//////////////////SSL安全设置代码 结束//////////
......
</VirtualHost>