If you going to use SSL for your site, make sure that you disable low level ciphers.
To do this, simply edit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
#/etc/httpd/conf.d/ssl.conf
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RCA4+RSA:+HIGH:!LOW:!MEDIUM
#Save the file and restart the apache
service httpd restart
#check to see if the settings are working
openssl s_client -connect localhost:443 -cipher EXP:HIGH
#the below command should throw you an error
openssl s_client -connect localhost:443 -cipher EXP:LOW
openssl s_client -connect localhost:443 -cipher EXP:MEDIUM
|
By default CentOs comes with openssl version 1.0.0. However openssl has been updated a year ago to 1.0.1 to support high ciphers such as TLS 1.1 and 1.2. Normally, before updating the openssl, I would backup the server first if anything goes wrong. The reason is that openssl is used by many programs within the linux.
To update the openssl, you will need to manually install the package by rpm
I have also replaced the above SSLCipherSuite to
|
#installing openssl 1.0.1e
rpm -Uvh http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-10.ius.el6.noarch.rpm
#install yom-plugin-replace
yum install yum-plugin-replace
#replacing openssl 1.0.1e name
yum replace openssl --replace-with openssl10
|
|
SSLCipherSuite 'AESGCM:RC4:SHA384:SHA256:AES !aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!kEDH:!PSK:!SRP:!kECDH'
|
You should also disable SSL Compression as it is vulnerable to CRIME attack according to ssllabs.com
|
# /etc/httpd/conf/httpd.conf
# Disable Module within Apache by using a #
#LoadModule deflate_module modules/mod_deflate.so
|
and then:
|
echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1
|
|
# Restart Apache Server
service httpd restart
|