Tanstaafl: > Hi all, > > Noob-alert! > > Ok, a site I have inherited that is running debian (7.4) is running > Apache, and a test of the SSL for that site reveals a few issues I'd > like to address. > > First, the site checker I was using is: > > https://sslcheck.globalsign.com/en_US
This appears to be a less common interface to this check which is recommended often: https://www.ssllabs.com/ssltest/ > The general results (and recommendations) are: > > Disable weak cipher suites: > "Use only cipher suites that have authentication and encryption of > 128-bit or higher." > > Disable SSLv3 I use these settings and receive good results: SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA' SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 AFAICT, it is not possible to be both resistant to BEAST attacks and have Perfect Forward Secrecy at the same time with wheezy's Apache. But since BEAST may be (and usually is) mitigated on the client side, I prefer PFS. > Enable 'Strict-Transport-Security' I didn't know this one. You can add this line to any VirtualHost with a hostname that you only want to be accessed with SSL: Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" Do not use it if some parts of your site should be accessible without SSL. > Enable 'SPDY' This is an extension to HTTP developed by Google. Some of its ideas will find their way into the next version of HTTP (2.0). You don't strictly need it and it does not improve security except by making SSL mandatory. J. -- No-one appears to be able to help me. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
signature.asc
Description: Digital signature
