Author Topic: [Tutorial] Strong SSL Security for Apache  (Read 12691 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
[Tutorial] Strong SSL Security for Apache
« on: November 10, 2015, 12:52:30 PM »
This tutorial shows you how to set up strong SSL security on the Apache2 webserver.

Disable SSLv2 and SSLv3
SSL v2 is insecure, so we need to disable it. We also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. SSLv3 allows exploiting of the POODLE bug.

To do this, you'll have to edit the /usr/local/apache/conf.d/vhosts-ssl.conf for every VirtualHost that you have.
After "SSLEngine on" line, insert this line:

Code: [Select]
SSLProtocol All -SSLv2 -SSLv3
The Cipher Suite
Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session. This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic. The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.

The following two ciphersuites are recommended by Mozilla Foundation.
After "SSLProtocol All -SSLv2 -SSLv3" line, add:

Code: [Select]
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
Or if you need backward compatibility (IE6/WinXP), add this line:
Code: [Select]
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
By using this configuration in your ssl vhosts, you are protected by POODLE attack and your server supports Forward Secrecy with modern browsers.

Offline
*
Re: [Tutorial] Strong SSL Security for Apache
« Reply #1 on: October 27, 2018, 06:44:58 AM »
I am still getting a B grade here:
https://www.ssllabs.com/ssltest/analyze.html

Error states:
This server accepts RC4 cipher, but only with older protocols. Grade capped to B

How do we fix this ?
surly we cant edit every vhost ...