How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME -

How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME

Many users still are not aware but simply patching OpenSSL does not secure you against many known and easy to exploit attacks that will render your encryption useless by an attacker.

Use the following setings in /etc/httpd/conf.d/ssl.conf
 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -all +TLSv1.2 -SSLv3 -SSLv2

The above passed all tests on RapidSSL https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

Vulnerabilities checked:
  • Heartbleed
  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME

Essentially what the above does is disable all known exploitable/weak ciphers and forces only TLS1.2 which is the only known secure version of TLS at this moment.  The settings above protect you against the listed vulnerabilities (just make sure you have a recent enough OpenSSL version that does support TLS 1.2, older distributions such as Centos 5 do not).


  • zip warning: name not matched: in Linux Solution
  • ls in Linux with full directory path with files howto
  • bash how to check if a symlink exists as a file or directory
  • css .ul and .li how to remove the identation padding/margin from list items?
  • how to extract .xz file in Linux Centos/Debian/Ubuntu
  • Linux how to whois query other gTLDs such as .club solution
  • How to verify SSL SHA-1 Certificate Fingerprnit Signature of your mail/web server to avoid hijacking/man-in-the-middle attacks
  • Linux Ubuntu Mint how to view RAW image files .arw?
  • ecryptfs errors
  • What happens when you unplug 1 or more devices from an mdadm RAID array to simulate a failure in Linux Ubuntu/Centos/Debian?
  • Migrating from Linux Mint 17.2 mdadm RAID array to a new one (because I upgraded to larger drives).
  • Linux how to reformat html file code solution
  • ENOM how to do a 301 redirect to another domain/site
  • ENOM TRANSFER passwords do not match - solution
  • Linux how to check http headers using bash/curl for SEO
  • mdadm: CREATE group disk not found Incrementally started RAID arrays. Incrementally starting RAID arrays...
  • Linux SAMBA does not work with symlinks
  • How to Execute PHP in .html files with Apache in Linux Centos/Debian/Ubuntu etc
  • mdadm how to recover from failed drive
  • yum Packages skipped because of dependency problems: