Apache 2 Configuration

To hide web server version number, server operating system details, installed Apache modules and more, open your Apache web server configuration file using your favorite editor:

$ sudo vi /etc/apache2/apache2.conf        #Debian/Ubuntu systems
$ sudo vi /etc/httpd/conf/httpd.conf       #RHEL/CentOS systems

And add/modify/append the lines below:

ServerTokens Prod
ServerSignature Off

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I replaced the Godaddy certificates and this error came up.  After trying even restoring the entire VM. The solution was simple:  sudo a2ensite default-ssl.conf.  It somehow got disabled. 
 

If Fortinet name appears in SSLLab scans and you get a T.

When changing certificates on the 60E make sure the SSL/SSH Inspection Deep Certificates do have the actual certificate listed on each entry or you will get Fortinet coming up in SSLLab scans

Apache Page

This will put the repository to get to the latest version of Apache 2.

sudo add-apt-repository ppa:ondrej/apache2
sudo apt update
sudo apt install apache2

Enable SSL on Apache2

sudo a2enmod ssl
sudo a2enmod headers

sudo a2enmod authz_core authz_host access_compat socache_shmcb slotmem_shm socache_dbm

sudo service apache2 restart

See sections on OCSP Stapling and DNS CAA for more information.

Final sites-available configuration file

# OCSP Stapling
SSLCryptoDevice dynamic
SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
SSLSessionCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_scache(512000)

Mutex file:/var/log/apache2/wp.scsiraidguru.com/ ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin

ServerName scsiraidguru.com
Redirect permanent / https://scsiraidguru.com

ServerName www.scsiraidguru.com
Redirect permanent / https://www.scsiraidguru.com

ServerName wp.scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com

ServerName science.scsiraidguru.com
Redirect permanent / https://science.scsiraidguru.com

ServerName virl.scsiraidguru.com
Redirect permanent / https://virl.scsiraidguru.com

ServerName scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”

ServerName www.scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”

ServerName wp.scsiraidguru.com
ServerAdmin mike.mckenney@scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com
DocumentRoot /var/www/wp.scsiraidguru.com/public_html

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/xxxxxx.crt
SSLCertificateKeyFile /etc/apache2/ssl/xxxxx.key
SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
SSLOpenSSLConfCmd DHParameters “/etc/apache2/ssl/dhxxxxx.pem”
SSLOCSPEnable on
SSLUseStapling on
SSLOCSPResponseMaxAge 900
SSLOCSPResponseTimeSkew 300
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
# Header set Set-Cookie HttpOnly;Secure: WordPress won’t work
Header set X-XSS-Protection “1; mode=block”
Header set Referrer-Policy “origin”
ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined

## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2

SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

## Permission for our DocumentRoot ##

Options Indexes FollowSymLinks
AllowOverride All

SSL Labs.com rating for this site

Testing TLS_FALLBACK_SCSV

My servers only support tls1.2 and tls1.3.  They can’t fall back to TSL1.1 or earlier.  I found this string from that tests for it.  

openssl s_client -connect wp.scsiraidguru.com:443 -fallback_scsv -no_tls1_2
CONNECTED(00000003)
140092949538112:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 134 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1590750080
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

SSL alert number 70 is The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.