Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris best practice for TLS configuration in Apache

    • Product: Apache for Ex Libris products
    • Product Version: N/A
    • Relevant for Installation Type: Local


     

    In order to align with industry best practice and to practice high security standards, Ex Libris has developed a best practice configurations for enabling and maintaining the Apache TLS setup.

    For all hosted environments this will be handled by Ex Libris cloud team and no modifications are required by the customer side for any of Ex Libris products.

     

    For non-hosted environments, Ex Libris highly recommends that all customers that run secure connections via TLS follow the path of disabling old TLS protocols and ciphers, below you will find a guide of how to disable this on Ex Libris based Apache applications.

     

    Note: If your institution utilizes a Load Balancer/Proxy that proxies all traffic to internal services, then these changes should be carried out on the Load balancer level, please have your IT contact the Load balancer vendor for detailed instruction how to perform this change.

     

     

    Important:

    • It is highly recommended to test this configuration on a sandbox environment before applying to the production environment.
    • Make sure to backup any file that is being modified in case there is a need to revert

     

    These changes are based on the Mozilla SSL configuration recommendation (Link).

     

    The configuration below should be added to the relevant ssl.conf file that is running on your Ex Libris application, if you are uncertain of the location of this file, please open a support ticket requesting assistance.

     

    Add the enclosed section between ####Start of security configuration#### & ####End of security configuration####, make sure to add this beneath the VirtualHost block.

    Make sure to comment out any previous settings in the ssl.conf that utilize the same directives as the ones in the enclosed section.

     

     

     

    <VirtualHost *:443>

        ...

        SSLEngine on

        SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs

        SSLCertificateKeyFile   /path/to/private/key

     

        # Uncomment the following directive when using client certificate authentication

        #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication

     

     

        ...

    </VirtualHost>

     

     

    ####Start of security configuration####

     

    # modern configuration, tweak to your needs

    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

    SSLHonorCipherOrder     on

    SSLCompression          off

    SSLSessionTickets       off

     

     

    ####End of security configuration####

     

      The above changes require an Apache restart

     


    • Article last edited: 28-Mar-2019
    • Was this article helpful?
    //Feedback