Apache httpd SSL Configuration
My company’s client is going to do penetration test on our product, I was assigned to configure Apache server, mainly enhance SSL Cipher settings.
Below are some notes on SSL configurations for Apache httpd.
Basics
Learn SSL Basics at http://www.wisegeek.com/what-is-an-ssl-cipher.htm
Basically we need to configure which SSL Protocols and Ciphers are allowed.
For SSLProtocol, SSLv2 and SSLv3 have been proven vulnerable, so go with TLSv1, TLSv1.1, TLSv1.2 whenever possible.
The main challenge is to setup SSL Ciphers, as there is a large amount of them and some of them have been proven vulnerable, so you need to disable them, but not all ciphers.
There is no best settings as it depends on what environment/browser you want to support, some older environment may only have vulnerable ciphers available.
Test Tools, Websites
COMODO SSL Analyzer
This tool will list available SSL protocols and ciphers, it also gives hint on any vulnerable protocol or weak cipher. Disable all the ciphers or protocols that marked
as weak/vulnerable.
QUALYS SSL LABS - SSL Server Test
This one gives more detailed result compare to the COMODO SSL Analyzer. It also gives a scaled score (scale from A to F I guess).
If your score is below A, it gives suggestions on how to improve.
This tool also do connection tests on major browsers so that you can check if all supported platform can establish connection to your website.
If you can get A without losing any targeted browser support, then you should be good.
QUALYS FREESCAN
(Register required)
This one will generate a much more detailed test report.
BUT be aware that you have limit number of scans for each account.
I registered an account and found out that it only support 10 reports by default, I do get an email instructing how to get more scan.
OpenSSL s_client
openssl s_client -cipher [cipher-names] -connect [host:port] (protocol flags)
Available Protocol flags:
For cipher names, go to https://www.openssl.org/docs/apps/ciphers.html for reference (Use short names)
Bluestack screenshot
We used this tool to check if all supported browser can establish connection to our website.
Config example
The setting should be placed under corresponding VirtualHost tag httpd.conf or ssl.conf, or some other customized .conf file.
|
|
SSLProtocol should be self-explanatory.
For SSLCipherSuite, check syntax at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite,
check available suites at https://www.openssl.org/docs/apps/ciphers.html.
We can also do a whitelist approach like:
Here is a guideline you can follow:
SSL/TLS Strong Encryption: How-To
Common issues
Config does not get reflected even after httpd restart
This means that there are other VirtualHost tag or other config file overrided your configuration, you need to find it out.
Forward secrecy not enabled
Add this line to apache config:
SSLHonorCipherOrder on
Anonymous cipher suites are not disabled
Add !aNULL to SSLCipherSuite
Other Reference
The Basics of How to Work with Cipher Settings - Dr John’s Tech Talk
SSL and Penetration Test