subject:"Re\: \[CentOS\] Apache \+ SSL\: default configuration rated \"C\" by Qualys Labs"

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

2017-04-29 Thread Walter H.


On 26.04.2017 08:58, Nicolas Kovacs wrote:

Hi,

I'm currently experimenting with a public server running CentOS 7. I
have half a dozen production servers all running Slackware Linux, and I
intend to progressively migrate them to CentOS, for a host of reasons
(support cycle, package availability, SELinux, etc.) But before doing
that, I have to figure out a few things that work differently under
CentOS. Apache and SSL behave quite differently under these two
distributions.

So far, Apache is running fine with HTTP and hosts a series of virtual
hosts.

I have installed Certbot and created a Let's Encrypt certificate for the
server.

I have a "dummy" website under /var/www/html/default/html.

I installed mod_ssl and only edited the following directives in
/etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.

--8<
...
DocumentRoot "/var/www/html/default/html"
ServerName sd-41893.dedibox.fr:443
...
SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem
SSLCertificateChainFile
/etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem
--8<

After restarting Apache, the website shows up correctly.

https://sd-41893.dedibox.fr/

But when I test it using Qualys SSL Labs Server Test, the results are a
disappointment.


with this:

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite 
'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'


SSLHonorCipherOrder on
SSLStrictSNIVHostCheck on

you get Grade A+


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

2017-04-26 Thread Nicolas Kovacs

Le 26/04/2017 à 16:16, James Hogarth a écrit :
> I'm not 100% on any differences in ciphers available, but I don't
> think there should be much difference between EL7 and Fedora.
> 
> This config gets my an A+ rating on the sslabs test:
> 
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
> 
> 
>   Header always set Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
> 
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
> 
> IIRC the Red Hat defaults are somewhat conservative on their
> limitations in order to simplify and maximise client connectivity - as
> some stuff (especially java apps or older mobile devices) tend to
> struggle otherwise with only a strict set of secure ciphers.

Thanks for the detailed explanation!

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

2017-04-26 Thread Leon Fauster

> Am 26.04.2017 um 17:17 schrieb Fabian Arrotin :
> 
> On 26/04/17 16:16, James Hogarth wrote:
>> On 26 April 2017 at 13:16, Steven Tardy  wrote:
>>> 
 On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs  wrote:
 
 The site is rated "C"
>>> 
>>> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. 
>>> This Mozilla resource is excellent for getting apache tls config up-to-date.
>>> 
>>> https://wiki.mozilla.org/Security/Server_Side_TLS
>> 
>> I'm not 100% on any differences in ciphers available, but I don't
>> think there should be much difference between EL7 and Fedora.
>> 
>> This config gets my an A+ rating on the sslabs test:
>> 
>> SSLEngine on
>> SSLProtocol all -SSLv2 -SSLv3
>> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
>> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
>> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
>> 
>> 
>>  Header always set Strict-Transport-Security "max-age=15768000;
>> includeSubDomains; preload"
>> 
>> 
>> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
>> 
>> IIRC the Red Hat defaults are somewhat conservative on their
>> limitations in order to simplify and maximise client connectivity - as
>> some stuff (especially java apps or older mobile devices) tend to
>> struggle otherwise with only a strict set of secure ciphers.
> 
> Outside of Qualys, I found the following sites interesting :
> 
> https://cipherli.st/ (recommandations)
> https://ssldecoder.org (testing tool)

+

https://access.redhat.com/articles/1462183

--
LF

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

2017-04-26 Thread Fabian Arrotin

On 26/04/17 16:16, James Hogarth wrote:
> On 26 April 2017 at 13:16, Steven Tardy  wrote:
>>
>>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs  wrote:
>>>
>>> The site is rated "C"
>>
>> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. 
>> This Mozilla resource is excellent for getting apache tls config up-to-date.
>>
>> https://wiki.mozilla.org/Security/Server_Side_TLS
> 
> I'm not 100% on any differences in ciphers available, but I don't
> think there should be much difference between EL7 and Fedora.
> 
> This config gets my an A+ rating on the sslabs test:
> 
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
> 
> 
>   Header always set Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
> 
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
> 
> IIRC the Red Hat defaults are somewhat conservative on their
> limitations in order to simplify and maximise client connectivity - as
> some stuff (especially java apps or older mobile devices) tend to
> struggle otherwise with only a strict set of secure ciphers.

Outside of Qualys, I found the following sites interesting :

https://cipherli.st/ (recommandations)
https://ssldecoder.org (testing tool)

-- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

2017-04-26 Thread James Hogarth

On 26 April 2017 at 13:16, Steven Tardy  wrote:
>
>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs  wrote:
>>
>> The site is rated "C"
>
> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. 
> This Mozilla resource is excellent for getting apache tls config up-to-date.
>
> https://wiki.mozilla.org/Security/Server_Side_TLS

I'm not 100% on any differences in ciphers available, but I don't
think there should be much difference between EL7 and Fedora.

This config gets my an A+ rating on the sslabs test:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
!CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"

  Header always set Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"

https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com

IIRC the Red Hat defaults are somewhat conservative on their
limitations in order to simplify and maximise client connectivity - as
some stuff (especially java apps or older mobile devices) tend to
struggle otherwise with only a strict set of secure ciphers.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

2017-04-26 Thread Steven Tardy

> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs  wrote:
> 
> The site is rated "C"

The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This 
Mozilla resource is excellent for getting apache tls config up-to-date.

https://wiki.mozilla.org/Security/Server_Side_TLS
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

2017-04-26 Thread Tru Huynh

Hi,

On Wed, Apr 26, 2017 at 08:58:39AM +0200, Nicolas Kovacs wrote:
...
> * This server is vulnerable to the POODLE attack. If possible, disable
> SSL 3 to mitigate. Grade capped to C."
https://wiki.centos.org/Security/POODLE

<...>

Tru
-- 
Tru Huynh 
http://pgp.mit.edu:11371/pks/lookup?op=get=0xBEFA581B


pgp3SqDBLOi3m.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Re: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

7 matches

Site Navigation

Mail list logo

Footer information