Modification of default Apache SSL/TLS settings

The global default SSL/TLS settings for virtual hosts are based on Apache HTTP server with mod_ssl and OpenSSL. These default settings already maintain a high level of security but might be altered using the following documentation.

We strongly recommend modifying individual virtual hosts only instead of changing the global Apache defaults. You can change these settings using the GUI here: Submenu – Certificates.

Note that the Airlock Gateway default SSL/TLS settings are optimized for compatibility and security. If you override the default settings you will no longer profit from these optimizations in further Airlock Gateway updates.

Prerequisites

  • You need to be logged in as admin in the Airlock Gateway Configuration Center.

Modify the default Apache SSL/TLS settings (with global effect)

  • 1.
    Go to:
    Expert Settings >> Security Gate / Apache
  • 2.
    In the section Apache, set the radio button to ON.
  • To look-up the current settings in the httpd.conf file, use the link at the end of the Apache section.

  • 3.
    To change the httpd.conf, paste the new settings into the textbox of the Apache section.
    For Example:
  • copy
    # SSL Cipher Suites to reenable TLS 1.0. This is not recommended in general!
    SSLProtocol ALL -SSLv3
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
  • 4.
    Click on the Validate button to validate the altered httpd-configuration. On success, activate the configuration.
  • The new httpd-settings are globally active.

By removing support for old or weak TLS protocol versions or ciphers, older clients may no longer be able to establish an HTTPS connection with Airlock Gateway.

Further information and links