How do I enable perfect forward secrecy by default on Apache?

Warning: please only use the recommendations for Apache configuration from the answers below. For which cipher(s) to use - security norms change over time and some of the security advice below is already out of date.

In the wake of recent events, I have been reconsidering my Apache setup. Currently, my apache site config looks something like this:

 <IfModule mod_ssl.c>
    <VirtualHost *:80>
            ServerName example.com
            ServerAlias www.example.com
            Redirect permanent / https://example.com
    </VirtualHost>

    <VirtualHost *:443>
            ServerAdmin webmaster@localhost
            ServerName example.com

            DocumentRoot /var/www-wordpress
            <Directory />
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
            <Directory /var/www-wordpress>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride FileInfo
                    Order allow,deny
                    allow from all
            </Directory>

            ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
            <Directory "/usr/lib/cgi-bin">
                    AllowOverride None
                    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                    Order allow,deny
                    Allow from all
            </Directory>

            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel warn

            CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
            SSLCertificateFile    /etc/ssl/certs/example.com.crt
            SSLCertificateKeyFile /etc/ssl/private/example.com.key
            SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                    SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                    SSLOptions +StdEnvVars
            </Directory>

            BrowserMatch "MSIE [2-6]" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
            BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>

What do I have to do to support perfect forward secrecy? How can I enable SSL perfect forward secrecy by default? How could I enforce it?

How about:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5

Note the addition of the -SSLv3 flag to disable SSLv3. This is added to protect against the POODLE attack.

This will prefer perfect forward secrecy, but not at the expense of being vulnerable to the BEAST attack. Since Apache lacks a way to configure cipher preference based on protocol version, I fake it by referring to ciphers only available in the newer protocols. Specifically, AES was only available with SHA1 hashing until TLSv1.2. Thus the list starts with the TLSv1.2 ephemeral Diffie-Hellman ciphers, then RC4 (first with ephemeral DH, then without), and finally a BEAST-vulnerable AES option. Excluding no auth / weak encryption / weak hashing at the end is just for good hygiene and could be omitted since no such ciphers were introduced. If performance is a concern, use EECDH only and omit EDH.

In combination with Apache 2.2 (thus no EECDH as @Bruno says), per https://www.ssllabs.com/ssltest/analyze.html, this achieves PFS for iOS Safari only. IE and Firefox are TLSv1.0 so they get RC4 to avoid BEAST. (Alas, there is no such thing as EDH RC4, so without EECDH, you give up PFS). This is, I believe, the best one could hope for with those browsers on Apache 2.2. Chrome is the only one poorly served, since it supports TLSv1.1 and could use EDH AES without being vulnerable to BEAST. Instead, it gets RC4-RSA like Firefox and IE. Upgrading Apache to enable EECDH RC4 should get PFS for Firefox, IE, and Chrome.

Update 2013-11-09:

I've found a few alternate recommendations around the web. They put less emphasis on BEAST protection (perhaps wise; BEAST is mostly mitigated client-side now) and more emphasis on perfect forward secrecy. To varying degrees they also have stronger preferences for GCM and greater reluctance to accept RC4.

Of particular note are, I think, the following recommendations:

• Mozilla OpSec
• Ivan Ristic (of Qualys)
• Geoffroy Gramaize

Personally, I'm going to go with Mozilla OpSec's. Their reasoning is well explained on their page. Of note, they prefer AES128 over AES256. In their words: "[AES128] provides good security, is really fast, and seems to be more resistant to timing attacks."

Noteworthy in Ivan Ristic's and Geoffroy Gramaize's recommendation is that SSLv3 is disabled. I think this mostly just breaks IE6, though some security related differences between SSLv3 and TLS v1.0 are mentioned on Wikipedia.

Also before I didn't talk about CRIME and BREACH. To protect against CRIME, disable SSL compression. This is included in the examples linked. To protected against BREACH, you need to disable compression at the HTTP level. For Apache 2.4, just do this once globally:

<Location />
  SetEnvIfExpr "%{HTTPS} == 'on'" no-gzip
</Location>

For older versions of Apache, place this in each VirtualHost where SSLEngine is on:

<Location />
    SetEnv no-gzip
</Location>

Update 2014-10-14: The Mozilla OpSec guide is now split into recommendations for old/intermediate/modern compatibility. With the settings from intermediate or modern, you end up with SSLv3 disabled. That will protect against the POODLE attack.

From my own understanding, you need to activate SSLHonorCipherOrder and to prepend SSLCipherSuite with ECDHE and DHE ciphers from openssl ciphers -v

From my /etc/apache2/mods-available/ssl.conf:

SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

To test your website, you can use: https://www.ssllabs.com/ssltest

Note: Eliptic Curve DHE only seems to work with Apache 2.3.3 or higher (see source and Bruno's comment).

The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants (see Vincent Bernat's blog.)

The cipher suites in Apache Httpd (provided you're using mod_ssl compiled with OpenSSL) are configured using SSLCipherSuite, which takes a list as you would see when using the openssl ciphers command. If you look at the OpenSSL man page, you'll find kEDH is what you're looking for. (You can also list cipher suites individually.)

Enter this cipher code in your httpd.conf in the main/core conf directive:

SSLCipherSuite AES128+EECDH:AES128+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off 
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" 

You can even check the status of how secure it is by testing it at: https://www.ssllabs.com/ssltest/analyze.html?

Try this code in your ssl.conf:

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA

By the way,

Expert tip: The (1/n-1) split record trick is implemented in Firefox since a while. Thus, you can safely disable RC4 on Firefox in the advanced configuration menu. To do so, enter ‘about:config’ in your address bar, then search for ‘rc4′ and toggle all the found values to ‘false’. If you experience connections issues, toggle back those parameters to true.

https://cc.dcsec.uni-hannover.de/

This websites gives you information on the SSL cipher suites your browser supports for securing HTTPS connections.

Have a look at https://cipherli.st

There you find copy & paste config snippets for several services, that should ensure strong ssl security settings.

This article will help you configure forward security and get you up to date on current standards - https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

As of 09/16/2015, this will get you an A on SSLLabs test results.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

I got a grade A (Sept. 2016) on SSLLabs still supporting Windows XP / Internet Explorer 8 using this ssl.conf configuration on Apache:

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:AES256+EECDH:DES-CBC3-SHA

In brief: only TLS is allowed: all versions are supported for compatibility and DES-CBC3-SHA cipher is allowed for compatibility too. The first, preferred two ciphers are using Elliptic curve Diffie-Hellman, the last was added as a fallback because this a good option among the ciphers available XP/IE. If you've installed the last OpenSSL version available this mix is enough to get an A at the time I'm writing.

Hope this is helpful.