Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: TR-03116-4 - Strict TLS Configuration |
|
| Author |
|
Constey
Joined: 11 Feb 2025
Posts: 2
Location: DE
|
 Posted: Tue 11 Feb '25 16:12 Post subject: TR-03116-4 - Strict TLS Configuration |
 |
|
Hi there,
i've the requirement to configure apache2 for TR-03116-4 (https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03116/BSI-TR-03116-4.pdf?__blob=publicationFile&v=5)
I've almost got the correct configuration, but there is one part still incorrect and I don't get it.
I've testing my site with tls-check.de and get almost all green: https://i.sstatic.net/TpiPZRZJ.png
I'm just missing the "TLS 1.2 Supported Signature Algorithms". Anyone here who knows what I am missing?
Thanks in advance,
Constantin
| Code: | SSL Stapling
# Specify the OCSP cache response location and size
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
<VirtualHost *:443>
ServerName domain.de
ServerAdmin domain@domain.de
DocumentRoot /var/www/html/domain
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/cert.crt
SSLCertificateKeyFile /etc/apache2/ssl/cert.key
# =========================================================================
# TLS Protocols
# Only allow TLSv1.2 and TLSv1.3 (disabling older protocols)
# BSI-TR-03116-4 recommends using at least TLS 1.2 with secure cipher suites.
# =========================================================================
SSLProtocol -all +TLSv1.2 +TLSv1.3
# =========================================================================
# Cipher Suites
# SSLHonorCipherOrder On ensures the server enforces the order below.
# Adjust the following as new ciphers are recommended/approved.
# =========================================================================
SSLHonorCipherOrder On
# Example for TLS 1.3:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
# Für TLS 1.2:
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
# Disable compression to prevent CRIME attacks
SSLCompression Off
# Disable session tickets if recommended (optional, depends on your setup)
SSLSessionTickets On
# Named Groups (TLS 1.3?)
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# OCSP Stapling improves performance by providing the clients with up-to-date status of your certificate.
SSLUseStapling on
Header always set Strict-Transport-Security "max-age=15768000"
Header always set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' *.domain.de; frame-ancestors 'self' *.domain.de; base-uri 'self' *.domain.de; script-src 'self' data: 'unsafe-inl>
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
# Ende |
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7389
Location: Germany, Next to Hamburg
|
| Posted: Wed 12 Feb '25 15:25 Post subject: |
|
|
Moin!
What is missing is a tricky parameter.
| Code: |
SSLOpenSSLConfCmd SignatureAlgorithms "ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256"
|
|
|
| Back to top |
|
Constey
Joined: 11 Feb 2025
Posts: 2
Location: DE
|
| Posted: Wed 12 Feb '25 17:17 Post subject: |
|
|
thanks very much, that makes the point. you are my hero of today  |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7389
Location: Germany, Next to Hamburg
|
| Posted: Thu 13 Feb '25 12:12 Post subject: |
|
|
Hello,
I found the test that you are using. In the detailed tab there is still an "issue" with point 2.3.3 that not all required ciphers are supported.
did you solve that? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7389
Location: Germany, Next to Hamburg
|
| Posted: Tue 18 Feb '25 13:24 Post subject: |
|
|
I figured out you are missing Curves and ciphers. This is how to solve that.
| Code: |
# The must-have ECDHE-ECDSA-AES128-SHA256 aka TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 required by the BSI is a weak cipher
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:brainpoolP256r1
|
|
|
| Back to top |
|
|
|
|
|
|
