Enabling Perfect Forward Secrecy | Fixing Perfect Forward SecrecyEnabling Perfect Forward Secrecy | Fixing Perfect Forward Secrecy
Using ssllabs.com to test the certificate on a server will grade the certificate with a score (A, B, C, D, F). The grade was capped to B due to Perfect Forward Secrecy and gave the following for a reference:
https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
OK, I don't know what Perfect Forward Secrecy is. All I really care about is getting the grade to A. What do I have to do?
Reading the link, I thought the certificate was incorrect and started to look for how to recreate the certificate using ECDHE instead of RSA. That is because of the lines, "Instead of using the RSA method for exchanging session keys, you should use the Elliptic Curve Diffie-Hellman (ECDHE) key exchange" and my inability to understand where I "can still use the RSA public-key cryptosystem as the encryption algorithm, just not as the key exchange algorithm."
Recreating the certificate is incorrect. The certificate is fine using the instructions found in the other article on this site.
The solution is found in the Apache/HTTPD server with the settings found in the following file on the server:
/etc/httpd/config/httpd.conf
The server already had the following:
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
#SSLHonorCipherOrder on
All I had to do was turn on the SSLHonorCipherOrder:
SSLHonorCipherOrder on
And while I was at it, turn off TLSv1.1 since that was removed in January 2020 from most major browsers:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
That left us with:
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
Restart Apache/HTTPD with:
apachectl -k restart
Enjoy the grade of letter A!
NOTES:
-use the following to see what ciphers are accepted: openssl ciphers -v
-the server didn't have the option to turn on the CipherOrder, I had to create a template fragment called 35SSL10SSLHonorCipherOrder and filed bug 10916. This will probably make its way into the base.
-for the curious, the following are the short steps:
config setprop modSSL HonorCipherOrder on
config setprop httpd-e-smith TLSv1.1 disabled
signal-event domain-modify
signal-event email-update