Now my site supports Perfect Forward Secrecy (PFS)

Wednesday, Jan 15, 2014

Why Upgrade

Like many other people who living under the shadow of massive surveillance by some of the governments and organisations in the world, I decided to update my server to support perfect forward secrecy. I know there may not be many important content on my site for now, but as a website manager who has the ability to update the server to provide more secure and robust traffic encryption, I think it is important and necessary.

Update is not that easy

I am using Arch Linux as my server OS, whose Apache is stucked at version 2.2.x because of maybe some technical difficulties. I have to manually download the source code from AUR and compile it (although it is much easier than download the source code and start from scratch). The problem for me is that I was using httpd.itk, which is an Apache patch that allows you to run different virtual hosts with the permission of the directory owner, which is a really good thing (do some Googling if you are not sure whether you need that).

So for me I have to decide what I should choose to achieve the same result with Apache 2.4.x. The major difficulty is that httpd.itk is not supported really well with AUR, and it is not a mature technology for Apache 2.4.x, so I decided to go the “better” and “normal” approach: use php-fpm and Apache Proxy.

The Cipher Suite

I won’t go through all the process and configuration files because it’s not that interesting for most of you guys and also you can find thousands of great articles telling you how to do it. I am here just trying to list the most important thing - the cipher suite.

SSLCompression Off
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder On

Yes, that’s it. With this you will have a quite robust cipher suite to provide your views with better encryption algorithms. Here is the original article by Hynek Schlawack for this cipher choice with really good explaination.

Result

With this setup, here is what I got from Qualys SSL Labs:

Here is what I get from Calomel SSL Validation: