Getting an “A+” on Qualys SSL Labs with Apache 2.2 on Debian

Notes for keeping Apache TLS secure on Debian Wheezy.

Apache and OpenSSL versions:

# apachectl -v
Server version: Apache/2.2.22 (Debian)
Server built:   Dec 23 2014 22:48:29
# dpkg -s apache2 | grep Version
Version: 2.2.22-13+deb7u4
# dpkg -s openssl | grep Version
Version: 1.0.1e-2+deb7u17

Excerpts from /etc/apache2/mods-available/ssl.conf:

# RSA 2048 bits SSL certificate
# (use a 4096 bits one and you may score 100 for key exchange) 
# signature algorithm SHA256withRSA
SSLCertificateFile      /etc/ssl/webserver/web.crt
SSLCertificateKeyFile   /etc/ssl/webserver/web.key
SSLCertificateChainFile /etc/ssl/webserver/web-ca.crt

SSLProtocol all -SSLv2 -SSLv3

# DES-CBC3-SHA for IE8/XP support

SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1

# Guarantee HTTPS for 180 days including sub domains 
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

SSL Labs scan result: