Ex Libris best practice for TLS configuration in Apache
- Product: Apache for Ex Libris products
- Product Version: N/A
- Relevant for Installation Type: Local
In order to align with industry best practice and to practice high security standards, Ex Libris has developed a best practice configurations for enabling and maintaining the Apache TLS setup.
For all hosted environments this will be handled by Ex Libris cloud team and no modifications are required by the customer side for any of Ex Libris products.
For non-hosted environments, Ex Libris highly recommends that all customers that run secure connections via TLS follow the path of disabling old TLS protocols and ciphers, below you will find a guide of how to disable this on Ex Libris based Apache applications.
Note: If your institution utilizes a Load Balancer/Proxy that proxies all traffic to internal services, then these changes should be carried out on the Load balancer level, please have your IT contact the Load balancer vendor for detailed instruction how to perform this change.
Important:
- It is highly recommended to test this configuration on a sandbox environment before applying to the production environment.
- Make sure to backup any file that is being modified in case there is a need to revert
These changes are based on the Mozilla SSL configuration recommendation (Link).
The configuration below should be added to the relevant ssl.conf file that is running on your Ex Libris application, if you are uncertain of the location of this file, please open a support ticket requesting assistance.
Add the enclosed section between ####Start of security configuration#### & ####End of security configuration####, make sure to add this beneath the VirtualHost block.
Make sure to comment out any previous settings in the ssl.conf that utilize the same directives as the ones in the enclosed section.
<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs
SSLCertificateKeyFile /path/to/private/key
# Uncomment the following directive when using client certificate authentication
#SSLCACertificateFile /path/to/ca_certs_for_client_authentication
...
</VirtualHost>
####Start of security configuration####
# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
####End of security configuration####
The above changes require an Apache restart
- Article last edited: 28-Mar-2019