Last updated: 2026-02-11
Apache TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for the Apache HTTP Server using mod_ssl. These settings are designed to achieve an A+ rating on Qualys SSL Labs while maintaining compatibility with modern clients.
Prerequisites
- Apache 2.4.36 or later (for TLS 1.3 support via OpenSSL 1.1.1)
mod_sslandmod_headersenabled- OpenSSL 1.1.1 or later
- A valid SSL/TLS certificate from a trusted CA
Ensure the required modules are loaded:
LoadModule ssl_module modules/mod_ssl.so
LoadModule headers_module modules/mod_headers.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Protocol Versions
Disable all legacy protocols and allow only TLS 1.2 and TLS 1.3:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Cipher Suites
Use only AEAD cipher suites with ECDHE key exchange for forward secrecy. Apache 2.4.43+ supports separate cipher configuration for TLS 1.2 and TLS 1.3:
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Since all ciphers in the list are equally strong, server cipher order preference can be disabled:
SSLHonorCipherOrder off
Certificate Configuration
SSLCertificateFile /etc/httpd/ssl/fullchain.pem
SSLCertificateKeyFile /etc/httpd/ssl/privkey.pem
Use a full-chain certificate file that includes both the server certificate and intermediate CA certificates. The SSLCertificateChainFile directive was deprecated in Apache 2.4.8 and removed in later versions; SSLCertificateFile with a full-chain PEM replaces it.
On Debian/Ubuntu systems, paths are typically under /etc/apache2/ssl/ instead of /etc/httpd/ssl/.
Security Settings
Disable SSL compression to prevent the CRIME attack, and disable session tickets for forward secrecy:
SSLCompression off
SSLSessionTickets off
OCSP Stapling
Enable OCSP stapling to improve TLS handshake performance and user privacy. The stapling cache must be configured in the global server context (outside of any VirtualHost):
SSLUseStapling on
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLStaplingResponseMaxAge 900
HTTP Strict Transport Security (HSTS)
Add the HSTS header to force browsers to use HTTPS for all future connections:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Only enable
includeSubDomainsif all subdomains support HTTPS. Only addpreloadif you intend to submit your domain to the HSTS preload list.
HTTPS Redirect
Redirect all HTTP traffic to HTTPS:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
Complete Configuration Example
Global settings (in httpd.conf or ssl.conf):
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Virtual host configuration:
<VirtualHost *:443>
ServerName example.com
# Enable SSL
SSLEngine on
# Certificates
SSLCertificateFile /etc/httpd/ssl/fullchain.pem
SSLCertificateKeyFile /etc/httpd/ssl/privkey.pem
# Protocols and ciphers
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
SSLHonorCipherOrder off
# Security settings
SSLCompression off
SSLSessionTickets off
# OCSP stapling
SSLUseStapling on
SSLStaplingResponseMaxAge 900
# Security headers
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# ... your site configuration
</VirtualHost>
Verification
Test your Apache configuration before restarting:
apachectl configtest
systemctl restart httpd
On Debian/Ubuntu:
apache2ctl configtest
systemctl restart apache2
Test your configuration externally using Qualys SSL Labs at https://www.ssllabs.com/ssltest/.