Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
On 26.04.2017 08:58, Nicolas Kovacs wrote: Hi, I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite differently under these two distributions. So far, Apache is running fine with HTTP and hosts a series of virtual hosts. I have installed Certbot and created a Let's Encrypt certificate for the server. I have a "dummy" website under /var/www/html/default/html. I installed mod_ssl and only edited the following directives in /etc/httpd/conf.d/ssl.conf. I kept the default options for everything else. --8< ... DocumentRoot "/var/www/html/default/html" ServerName sd-41893.dedibox.fr:443 ... SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem --8< After restarting Apache, the website shows up correctly. https://sd-41893.dedibox.fr/ But when I test it using Qualys SSL Labs Server Test, the results are a disappointment. with this: SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP' SSLHonorCipherOrder on SSLStrictSNIVHostCheck on you get Grade A+ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
Le 26/04/2017 à 16:16, James Hogarth a écrit : > I'm not 100% on any differences in ciphers available, but I don't > think there should be much difference between EL7 and Fedora. > > This config gets my an A+ rating on the sslabs test: > > SSLEngine on > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 > EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES > !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4" > > > Header always set Strict-Transport-Security "max-age=15768000; > includeSubDomains; preload" > > > https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com > > IIRC the Red Hat defaults are somewhat conservative on their > limitations in order to simplify and maximise client connectivity - as > some stuff (especially java apps or older mobile devices) tend to > struggle otherwise with only a strict set of secure ciphers. Thanks for the detailed explanation! -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
> Am 26.04.2017 um 17:17 schrieb Fabian Arrotin: > > On 26/04/17 16:16, James Hogarth wrote: >> On 26 April 2017 at 13:16, Steven Tardy wrote: >>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs wrote: The site is rated "C" >>> >>> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. >>> This Mozilla resource is excellent for getting apache tls config up-to-date. >>> >>> https://wiki.mozilla.org/Security/Server_Side_TLS >> >> I'm not 100% on any differences in ciphers available, but I don't >> think there should be much difference between EL7 and Fedora. >> >> This config gets my an A+ rating on the sslabs test: >> >> SSLEngine on >> SSLProtocol all -SSLv2 -SSLv3 >> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 >> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES >> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4" >> >> >> Header always set Strict-Transport-Security "max-age=15768000; >> includeSubDomains; preload" >> >> >> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com >> >> IIRC the Red Hat defaults are somewhat conservative on their >> limitations in order to simplify and maximise client connectivity - as >> some stuff (especially java apps or older mobile devices) tend to >> struggle otherwise with only a strict set of secure ciphers. > > Outside of Qualys, I found the following sites interesting : > > https://cipherli.st/ (recommandations) > https://ssldecoder.org (testing tool) + https://access.redhat.com/articles/1462183 -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
On 26/04/17 16:16, James Hogarth wrote: > On 26 April 2017 at 13:16, Steven Tardywrote: >> >>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs wrote: >>> >>> The site is rated "C" >> >> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. >> This Mozilla resource is excellent for getting apache tls config up-to-date. >> >> https://wiki.mozilla.org/Security/Server_Side_TLS > > I'm not 100% on any differences in ciphers available, but I don't > think there should be much difference between EL7 and Fedora. > > This config gets my an A+ rating on the sslabs test: > > SSLEngine on > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 > EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES > !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4" > > > Header always set Strict-Transport-Security "max-age=15768000; > includeSubDomains; preload" > > > https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com > > IIRC the Red Hat defaults are somewhat conservative on their > limitations in order to simplify and maximise client connectivity - as > some stuff (especially java apps or older mobile devices) tend to > struggle otherwise with only a strict set of secure ciphers. Outside of Qualys, I found the following sites interesting : https://cipherli.st/ (recommandations) https://ssldecoder.org (testing tool) -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
On 26 April 2017 at 13:16, Steven Tardywrote: > >> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs wrote: >> >> The site is rated "C" > > The RHEL/CentOS out-of-the-box apache tls is a little old but operational. > This Mozilla resource is excellent for getting apache tls config up-to-date. > > https://wiki.mozilla.org/Security/Server_Side_TLS I'm not 100% on any differences in ciphers available, but I don't think there should be much difference between EL7 and Fedora. This config gets my an A+ rating on the sslabs test: SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4" Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com IIRC the Red Hat defaults are somewhat conservative on their limitations in order to simplify and maximise client connectivity - as some stuff (especially java apps or older mobile devices) tend to struggle otherwise with only a strict set of secure ciphers. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacswrote: > > The site is rated "C" The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date. https://wiki.mozilla.org/Security/Server_Side_TLS ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
Hi, On Wed, Apr 26, 2017 at 08:58:39AM +0200, Nicolas Kovacs wrote: ... > * This server is vulnerable to the POODLE attack. If possible, disable > SSL 3 to mitigate. Grade capped to C." https://wiki.centos.org/Security/POODLE <...> Tru -- Tru Huynh http://pgp.mit.edu:11371/pks/lookup?op=get=0xBEFA581B pgp3SqDBLOi3m.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos