OK I finally got OS X Server 5 to work with TLS 1.2 and forward secrecy, making ATS perfectly happy 😀
1. Install Homebrew and brew install openssl, brew install PCRE
2. Download the latest source for Apache, apr, and apr-util
3. Extract Apache source into /usr/local/src/httpd-2.4.17
4. Extract apr and apr-util archives to /usr/local/src/httpd-2.4.17/srclib/apr and /usr/local/src/httpd-2.4.17/srclib/apr-util
5. Replace the character "+" with the word "apache2" in the files config.layout inside the apr and apr-util dirs
6. In Terminal, execute the following commands:
- cd /usr/local/src/httpd-2.4.17
- CFLAGS="-arch x86_64" ./configure --prefix=/usr/local/apache-2.4.17 --with-included-apr --with-included-apr-util -with-mpm=prefork --with-ssl=/usr/local/opt/openssl --enable-mods-shared=reallyall --enable-layout=Darwin
- make
- make install
7. Copy mod_hfs_apple.so, mod_authnz_ldap.so, and mod_ldap.so from /usr/libexec into /usr/local/apache-2.4.17/modules
8. Disable SIP: Restart into Recover mode (command-R), open Terminal, and type csrutil disable
9. Restart back into normal mode, open Terminal, and type the following commands:
- sudo mv /usr/sbin/httpd /usr/sbin/httpd.old
- sudo mv /usr/libexec/apache2 /usr/libexec/apache2.old
- sudo ln -s /usr/local/apache-2.4.17/bin/httpd /usr/sbin/httpd
- sudo ln -s /usr/local/apache-2.4.17/modules /usr/libexec/apache2
10. Re-enable SIP: restart into Recover mode, open Terminal, and type csrutil enable
11. Download the latest source for PHP and extract to /usr/local/src/php-5.6.16 (or whatever version; 7.0 just came out with scalar typing O.o)
12. Configure PHP with the following command (modify as needed, but this worked for my LAMP stack with OS X Server 5):
- ln -s /usr/local/opt/openssl /usr/local/openssl
- cd /usr/local/src/php-5.6.16
- CFLAGS="-arch x86_64" ./configure --with-openssl=/usr/local/opt/openssl \
--with-pcre-regex=/usr/local/opt/pcre \
--with-curl=/usr/bin/curl \
--enable-exif \
--with-mysql=/usr/local/mysql \
--with-mysql-sock=/tmp/mysql.sock \
--with-pdo-mysql \
--enable-opcache \
--with-apxs2=/usr/local/apache-2.4.17/bin/apxs \
--prefix=/usr/local/apache-2.4.17/php/ \
--enable-sockets \
--enable-zip \
--with-pear=/usr/local/apache-2.4.17/lib/php \
--enable-mbstring \
--with-mysqli
- make
- make install
13. In a text editor, edit the file:
/Library/Server/Web/Config/Proxy/servermgr_serviceproxy_customsites.plist
Starting at line 65, perform these changes: (lines to delete, new lines)
<string>SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"</string>
<string>SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"</string>
<string>SSLHonorCipherOrder On</string>
<string>SSLProtocol -ALL +TLSv1</string>
<string>SSLProtocol -SSLv2 -SSLv3</string>
<string>SSLProxyProtocol -ALL +TLSv1</string>
<string>SSLProxyProtocol -SSLv2 -SSLv3</string>
14. Next, make a similar change in apache_serviceproxy_customsites.conf, starting at line 13:
SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
SSLHonorCipherOrder On
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
SSLProtocol -ALL +TLSv1
SSLProtocol ALL -SSLv2 -SSLv3
SSLProxyProtocol -ALL +TLSv1
SSLProxyProtocol ALL -SSLv2 -SSLv3
15. Next, make the exact same changes as in step 14., in apache_serviceproxy.conf, starting at line 198.
16. Next, make the exact same changes to any custom sites that you have already configured with SSL in OS X Server. Their files will be found at a path like this:
/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34543_[[your custom site's url]].conf
17. Start OS X server and run the following command to verify that you have succeeded:
/usr/bin/nscurl --ats-diagnostics https :// [[your custom site's https url]]
Note: the URL will obviously need to be formatted properly. I put an extra space in there before the colon because otherwise this post gets sent to moderation.
In my case ALL of the tests came back with a "PASS."