Apache 2 Configuration

Changed: 9.8.24

To hide web server version number, server operating system details, installed Apache modules and more, open your Apache web server configuration file using your favorite editor:

$ sudo vi /etc/apache2/apache2.conf        #Debian/Ubuntu systems
$ sudo vi /etc/httpd/conf/httpd.conf       #RHEL/CentOS systems

And add/modify/append the lines below:

ServerTokens Prod
ServerSignature Off

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Deprecated SSL Certificate information

Apache after 2.4.8 has deprecation not removal.

#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<full-chain-bundle>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key

I read you only need this now.  I will be trying it this week.  

SSLCertificateFile /etc/letsencrypt/live/www.MYDOMAIN.com/fullchain.pem

If Fortinet name appears in SSLLab scans and you get a T.

When changing certificates on the 60E make sure the SSL/SSH Inspection Deep Certificates do have the actual certificate listed on each entry or you will get Fortinet coming up in SSLLab scans

Apache Page

This will put the repository to get to the latest version of Apache 2.

 

sudo add-apt-repository ppa:ondrej/apache2
sudo apt update
sudo apt install apache2
sudo a2ensite default-ssl.conf

Important commands to run for SSL, Headers, etc.

Enable SSL on Apache2

sudo a2enmod ssl
sudo a2enmod headers

sudo a2enmod authz_core authz_host access_compat socache_shmcb slotmem_shm socache_dbm

sudo service apache2 restart

See sections on OCSP Stapling and DNS CAA for more information.

SSL Labs.com rating for this site

Testing TLS_FALLBACK_SCSV

My servers only support tls1.2 and tls1.3.  They can’t fall back to TSL1.1 or earlier.  I found this string from that tests for it.  

openssl s_client -connect wp.scsiraidguru.com:443 -fallback_scsv -no_tls1_2
CONNECTED(00000003)
140092949538112:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 134 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1590750080
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

SSL alert number 70 is The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.