The BEAST (Browser Exploit Against SSL/TLS) vulnerability primarily targets TLS 1.0 and earlier protocol versions. Modern security standards recommend disabling TLS 1.0 and enabling TLS 1.1+ to maintain secure communications while preventing known exploits.
First, verify your current Apache SSL configuration with:
openssl s_client -connect yourdomain.com:443 -tls1 openssl s_client -connect yourdomain.com:443 -tls1_1 openssl s_client -connect yourdomain.com:443 -tls1_2
This will show which protocols are currently enabled.
Edit your Apache SSL configuration (typically in /etc/httpd/conf.d/ssl.conf or /etc/apache2/mods-available/ssl.conf):
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLHonorCipherOrder on SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
For optimal security with TLS 1.1/1.2, use this recommended cipher suite:
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!CAMELLIA:!DES:!3DES:!DSS:!EXP:!ECDSA:!kECDH:!PSK:!SRP:!KRB5 SSLProxyCipherSuite HIGH:!aNULL:!MD5:!RC4:!CAMELLIA:!DES:!3DES:!DSS:!EXP:!ECDSA:!kECDH:!PSK:!SRP:!KRB5
After restarting Apache (systemctl restart apache2 or apachectl restart), verify with:
nmap --script ssl-enum-ciphers -p 443 yourdomain.com
Or use online tools like SSL Labs' SSL Test for comprehensive verification.
TLS 1.2 with modern ciphers may impact performance. Consider enabling OCSP Stapling to improve handshake speed:
SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
For legacy client support, you might need to create a separate virtual host with older protocols:
<VirtualHost *:8443>
SSLProtocol +TLSv1
SSLCipherSuite "ECDHE-RSA-AES128-SHA"
# Other legacy configurations
</VirtualHost>
The BEAST (Browser Exploit Against SSL/TLS) vulnerability exposed critical weaknesses in SSL 3.0 and TLS 1.0, making protocol upgrades mandatory for production systems. Modern best practices require enforcing TLS 1.1+ with OpenSSL 1.0.1+ and Apache 2.4+ configurations.
# Check installed OpenSSL version
openssl version -a
# Sample output showing TLS 1.2 support:
# OpenSSL 1.1.1g 21 Apr 2020
# Built on: Wed Apr 21 13:33:42 2021 UTC
# Options: bn(64,64) ...
# TLSv1/SSLv3, TLSv1.1, TLSv1.2Modify your virtual host configuration (typically in /etc/apache2/sites-available/default-ssl.conf):
<VirtualHost *:443>
SSLEngine on
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
# Certificate paths (example)
SSLCertificateFile /etc/ssl/certs/your_domain.crt
SSLCertificateKeyFile /etc/ssl/private/your_domain.key
SSLCertificateChainFile /etc/ssl/certs/chain.crt
</VirtualHost>Modern best practices recommend these cipher suites for balancing security and compatibility:
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256After implementing changes, verify your configuration:
# Syntax check
apachectl configtest
# Restart Apache
systemctl restart apache2
# Test with OpenSSL client
openssl s_client -connect yourdomain.com:443 -tls1_1
openssl s_client -connect yourdomain.com:443 -tls1_2Use these tools for comprehensive validation:
- Qualys SSL Labs Test (https://www.ssllabs.com/ssltest/)
- testssl.sh (command-line tool)
- Mozilla SSL Configuration Generator
TLS 1.2 introduces some overhead compared to older protocols. Monitor these metrics:
# Show SSL/TLS statistics
apachectl -t -D DUMP_MODULES | grep ssl
watch -n 1 "netstat -anp | grep ':443' | awk '{print \$5}' | cut -d: -f1 | sort | uniq -c | sort -n"For legacy system compatibility during transition, implement this phased approach:
- First enable both TLS 1.0 and 1.1/1.2
- Monitor traffic patterns with mod_logio
- After 30-60 days, disable TLS 1.0 if no legacy clients remain