How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME -

How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME

Many users still are not aware but simply patching OpenSSL does not secure you against many known and easy to exploit attacks that will render your encryption useless by an attacker.

Use the following setings in /etc/httpd/conf.d/ssl.conf
 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -all +TLSv1.2 -SSLv3 -SSLv2

The above passed all tests on RapidSSL https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

Vulnerabilities checked:
  • Heartbleed
  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME

Essentially what the above does is disable all known exploitable/weak ciphers and forces only TLS1.2 which is the only known secure version of TLS at this moment.  The settings above protect you against the listed vulnerabilities (just make sure you have a recent enough OpenSSL version that does support TLS 1.2, older distributions such as Centos 5 do not).


  • wget how to resume download!
  • strange vi errors in Linux Mint/Ubuntu line 58: E488: Trailing characters: t_Sbet line 63: E171: Missing :endif
  • MySQL Add multiple IPs for remote user including root howto
  • cPanel error Access denied for user 'root'@'localhost' when adding remote MySQL IP address solution
  • Text Editors - Top Linux Ubuntu/Debian/Mint Options
  • Linux shows my drive as being dead is it really? Buffer I/O error on device sdb, logical block 0 sd 3:0:0:0: [sdb] CDB: Read(10): 28 00 00 00 00 00 00 00 08 00
  • use ffmpeg to watermark videos if mencoder/bmovl fail
  • mencoder bmovl error vf_bmovl: Unknown command: ''. Ignoring.
  • Linux Mint/Ubuntu/Debian Nvidia driver becomes slow graphics performance issue
  • Linux Mint missing ffmpeg solution to install from Ubuntu PPA
  • phpBB3 slow and internal dummy connection
  • check if Apache uses worker MPM or prefork MPM
  • text to speech for Linux
  • How to convert xlsx/xls Excel file into csv
  • Linux bash script how to generate a random password using /dev/urandom
  • ssh forward multiple ports in the same connection and command even works with NAT!
  • How to create openssl md5 password hash to use in /etc/shadow using bash
  • Avocent DSR8020 KVM/IP - Network Connect Error - Solution
  • PHP Parse error: syntax error, unexpected '[' in phpBB3/vendor/react/promise/src/functions.php on line 15
  • tar extraction changes ownership of /root directory