如果要讓自己的網站支援 SSL 的話,就要在 Apache 設定中加上 SSL 的設定。關於 SSL 憑證可以用申請的,也可以用自己建立的。
以下將針對 "自行產生" SSL 憑證說明。(請先想好自己要用的密碼喔!)
以下將針對 "自行產生" SSL 憑證說明。(請先想好自己要用的密碼喔!)
先產生 SSL (2048bit)
#openssl genrsa -des3 -out ssl/ca.key 2048 openssl genrsa -des3 -out ssl/ca.key 2048 #openssl req -config openssl.cnf -new -key ssl/ca.key -out ssl/ca.csr
Enter pass phrase for ssl/ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taipei Organization Name (eg, company) [My Company Ltd]:Your Company Organizational Unit Name (eg, section) []:Your OU Common Name (eg, your name or your server's hostname) []:www.example.com Email Address []:admin@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:yourpassword An optional company name []:
# openssl x509 -days 3650 -req -signkey ssl/ca.key -in ssl/ca.csr -out ssl/ca.crt # openssl genrsa -out ssl/server.key 2048 # openssl req -config openssl.cnf -new -key ssl/server.key -out ssl/server.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:TW TaiState or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taipei Organization Name (eg, company) [My Company Ltd]:Your Company Organizational Unit Name (eg, section) []:Your OU Common Name (eg, your name or your server's hostname) []:www.example.com Email Address []:admin@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:yourpassword An optional company name []:
# openssl ca -config openssl.cnf -days 3650 -cert ssl/ca.crt -keyfile ssl/ca.key -in ssl/server.csr -out ssl/server.crt # openssl x509 -req -days 3650 -in ssl/server.csr -signkey ssl/server.key -out ssl/server.cert
記得要把產生的檔案都放到 /etc/httpd/conf/ 下面。
最後就是在 httpd.conf 中,你所要用到的 virtual domain 中加上:
SSLEngine On SSLCertificateFile conf/ssl/server.cert SSLCertificateKeyFile conf/ssl/server.key SSLCertificateChainFile conf/ssl/ca.crt
除此之外,為了提高安全性,要停用 SSLv2, SSLv3, 只保留 TLS
先產生 Diffie Hellman 參數
openssl dhparam -out dhparam.pem 4096
然後是增加以下設定
SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on # for apache 2.4.x # SSLOpenSSLConfCmd DHParameters dhparams.pem
Prev