I work in computer security lately, so I figure I should probably ensure that my site is vaguely secure 🙂 The Qualys SSL test for yaleman.org was showing a ‘B’ grade because of a few things.
Firstly it wasn’t presenting the full SSL CA chain, so I fixed that. Previously I was only presenting the certificate, with the client having to have the root CA.
- Downloaded the ca bundle files from the details Comodo provided me.
- Made the bundle file (their support page helped)
cat *.crt > yaleman.org.cabundle
- Uploaded the file to the server
- Reconfigured Apache as per the config from Comodo by adding this line to the virtualhost SSL configuration (replace $filename with the file location)
_SSLCertificateChainFile $filename_
- Confirmed the config by running apachectl -t, then restarted apache
- Reran the Qualys test and that showed up OK.
The next step was to remove the SSL methods vulnerable to POODLE and FREAK
- Edited /etc/apache2/mods-enabled/ssl.conf
- Comment out the existing SSLCiperSuite line and add a new one:
#SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
SSLCipherSuite AES128+EECDH:AES128+EDH
- Ensure the SSLProtocol is limited to sensible ones:
SSLProtocol All -SSLv3 -SSLv2
- Again, apachectl -t and restart.
This brought me up to an ‘A’ rating, which is good enough for a cheap SSL cert and ten minutes work. 🙂