SSL a little more S now

I work in computer security lately, so I figure I should probably ensure that my site is vaguely secure 🙂 The Qualys SSL test for yaleman.org was showing a ‘B’ grade because of a few things.

Firstly it wasn’t presenting the full SSL CA chain, so I fixed that. Previously I was only presenting the certificate, with the client having to have the root CA.

  1. Downloaded the ca bundle files from the details Comodo provided me.
  2. Made the bundle file (their support page helped)

    cat *.crt > yaleman.org.cabundle

  3. Uploaded the file to the server

  4. Reconfigured Apache as per the config from Comodo by adding this line to  the virtualhost SSL configuration (replace $filename with the file location)

    SSLCertificateChainFile $filename

  5. Confirmed the config by running apachectl -t, then restarted apache

  6. Reran the Qualys test and that showed up OK.

The next step was to remove the SSL methods vulnerable to POODLE and FREAK

  1. Edited /etc/apache2/mods-enabled/ssl.conf
  2. Comment out the existing SSLCiperSuite line and add a new one:

    #SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5 SSLCipherSuite AES128+EECDH:AES128+EDH

  3. Ensure the SSLProtocol is limited to sensible ones:

    SSLProtocol All -SSLv3 -SSLv2

  4. Again, apachectl -t and restart.

This brought me up to an ‘A’ rating, which is good enough for a cheap SSL cert and ten minutes work. 🙂



#Apache #Linux #SSL