SSL/TLS Best Practices: Hardening your Apache Config for an A+ Rating on SSL Labs

Achieving an A+ Rating: Hardening Apache SSL/TLS Configurations

Security is no longer optional in modern web administration. A robust SSL/TLS configuration not only protects your users’ data but also impacts your search engine rankings and overall site trust. To achieve an A+ rating on SSL Labs, you must go beyond basic encryption and adhere to strict configuration standards.

Step 1: Disable Insecure Protocols

Legacy protocols like SSLv2, SSLv3, TLS 1.0, and TLS 1.1 are vulnerable to attacks such as POODLE and BEAST. You must restrict your server to TLS 1.2 and 1.3 only.

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Step 2: Enforce Strong Cipher Suites

Weak ciphers are susceptible to decryption attacks. You must prioritize Forward Secrecy (FS) and AEAD ciphers. This configuration ensures that even if the private key is compromised in the future, past session data remains secure.

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off

Step 3: Implement HSTS (HTTP Strict Transport Security)

HSTS tells browsers that your site should only be accessed using HTTPS. To get the highest score, you must include the “includeSubDomains” and “preload” directives. Once enabled, add this to your VirtualHost configuration:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Step 4: Optimize Diffie-Hellman Parameters

If you are using RSA certificates, the default DH parameters are often insufficient. Generate a custom 4096-bit group to prevent Logjam-style attacks.

openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Then, point Apache to this file:

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Step 5: Verification and Maintenance

After applying these changes, restart your Apache service to load the new security parameters:

sudo systemctl restart apache2

• Always test your configuration using the Qualys SSL Labs server test tool.
• Monitor your SSL certificate expiration dates using automated tools like Certbot.
• Keep your OpenSSL library patched to the latest version provided by your distribution.

By strictly enforcing these configurations, you protect your infrastructure from the most common cryptographic vulnerabilities and provide a secure environment for your users.