Child pages
  • Apache mod_ssl
Skip to end of metadata
Go to start of metadata

My advice

./mods-available/ssl.conf
#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#   enable only secure ciphers:
#SSLCipherSuite HIGH:MEDIUM:!ADH
#   Use this instead if you want to allow cipher upgrades via SGC facility.
#   In this case you also have to use something like 
#        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
#   see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
# http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#SSLCipherSuite HIGH:!MEDIUM:!ADH:!MD5:!ECDH:ECDHE
## http://heise.de/-1932806
##SSLCipherSuite EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+RC4 EDH+aRSA EECDH RC4 !aNULL !eNULL !LOW !3DES !MD5 \ !EXP !PSK !SRP !DSS
## => http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
./mods-available/ssl.conf
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

 

Security Advice

POODLE - 2014

./mods-available/ssl.conf
< SSLProtocol all -SSLv2
--
# disable SSLv3
> SSLProtocol all -SSLv2 -SSLv3

HeartBleed - 2014

  • update SSL library!!!
  • check all services to not use hardlinked, outdated lib and is still vulnerable

x509 Auth

Have a look at _x509 variables the in the mod_ssl documentation this will allow you to filter for users, pass them to the application etc.

  • No labels