[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing apache



Tanstaafl:
> Hi all,
> 
> Noob-alert!
> 
> Ok, a site I have inherited that is running debian (7.4) is running
> Apache, and a test of the SSL for that site reveals a few issues I'd
> like to address.
> 
> First, the site checker I was using is:
> 
> https://sslcheck.globalsign.com/en_US

This appears to be a less common interface to this check which is
recommended often:

https://www.ssllabs.com/ssltest/

> The general results (and recommendations) are:
> 
> Disable weak cipher suites:
> "Use only cipher suites that have authentication and encryption of
> 128-bit or higher."
> 
> Disable SSLv3

I use these settings and receive good results:

SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3

AFAICT, it is not possible to be both resistant to BEAST attacks and
have Perfect Forward Secrecy at the same time with wheezy's Apache. But
since BEAST may be (and usually is) mitigated on the client side, I
prefer PFS.

> Enable 'Strict-Transport-Security'

I didn't know this one. You can add this line to any VirtualHost with a
hostname that you only want to be accessed with SSL:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Do not use it if some parts of your site should be accessible without
SSL.

> Enable 'SPDY'

This is an extension to HTTP developed by Google. Some of its ideas will
find their way into the next version of HTTP (2.0). You don't strictly
need it and it does not improve security except by making SSL mandatory.

J.
-- 
No-one appears to be able to help me.
[Agree]   [Disagree]
                 <http://www.slowlydownward.com/NODATA/data_enter2.html>

Attachment: signature.asc
Description: Digital signature


Reply to: