Picture of Brian Love wearing black against a dark wall in Portland, OR.

Brian Love

HTTPS Protocols and Ciphers

As part of a series on using HTTPS Everywhere we are migrating a website from HTTP to HTTPS. Previously we configured our web server with an SSL certificate, and we are now ready to configure the SSL engine on our server.

For this article I will mention the best practices for configuring both your Apache and IIS web server. For the IIS configuration I will be using the free IIS Crypto tool by Nartac Software.

FWIW, I am not a security expert. So, I am following the best practices as prescribed by Mozilla on their server side TLS article.

Apache Web Server

For the apache configuration I will generally copy/paste the recommended configuration from Mozilla. Here is what I did:

These modifications are made to the httpd-ssl.conf file, which is located for me at: /etc/apache2/extra/httpd-ssl.conf.

#General setup for the virtual host
DocumentRoot "/www/local.example.com/www"
ServerName local.example.com
ErrorLog "/private/var/log/apache2/local.example.com-error_log"
CustomLog "/private/var/log/apache2/local.example.com-access_log" common

#SSL Engine Switch:
SSLEngine on

#Server Certificate:
SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.crt"

#Server Private Key:
SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com.key"

#SSL Engine Options:
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars

<Directory "/Library/WebServer/CGI-Executables">
SSLOptions +StdEnvVars

# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off

# On Apache 2.4+, SSLStaplingCache must be set *outside* of the VirtualHost
SSLStaplingCache shmcb:/var/run/ocsp(128000)

The SSL configuration above does the following.

As a side note, you can validate that your openssl version supports the ciphers. Just copy the list of ciphers into the following command:


The result of running this command indicates that all ciphers are supported.

OpenSSL Ciphers

As always, we want to test our Apache configuration and restart the server. Assuming everything is OK, we should be able to pull up our HTTPS site in a modern browser.

IIS Crypto

Setting up the IIS cryptography is simplified greatly by using a free tool from Nartac Software called IIS Cryto. Download IIS Crypto

The download is just a .exe file. Copy this to the desktop and launch it. I will simply select the Best Practices option and click Apply. These options will disable the old protocols (SSL v 2.0 and 3.0) and will set the recommended cipher suites.

IIS Crypto

After applying the new settings be sure to restart the Windows server.

Testing SSL

The last step is to test our SSL configuration. There are three popular, and free, tools that will help you. I prefer to use the Qualys tool.

Here is a screen shot of my score from the Qualys SSL Labs website.

Qualys SSL Labs