How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME

Many users still are not aware but simply patching OpenSSL does not secure you against many known and easy to exploit attacks that will render your encryption useless by an attacker.

Use the following setings in /etc/httpd/conf.d/ssl.conf
 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -all +TLSv1.2 -SSLv3 -SSLv2

The above passed all tests on RapidSSL https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

Vulnerabilities checked:
  • Heartbleed
  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME

Essentially what the above does is disable all known exploitable/weak ciphers and forces only TLS1.2 which is the only known secure version of TLS at this moment.  The settings above protect you against the listed vulnerabilities (just make sure you have a recent enough OpenSSL version that does support TLS 1.2, older distributions such as Centos 5 do not).


Tags:

ssl, tls, apache, settings, heartbleed, poodle, sslv, crimemany, users, patching, openssl, exploit, attacks, render, encryption, attacker, setings, etc, httpd, conf, sslciphersuite, quot, eecdh, ecdsa, aesgcm, arsa, sha, edh, camellia, des, rc, anull, enull, md, exp, psk, srp, dss, sslprotocol, tlsv, rapidssl, https, cryptoreport, checker, views, certcheck, jsp, vulnerabilities, essentially, disable, exploitable, ciphers, listed, distributions, centos,

Latest Articles

  • VMWare Pro Workstation Nic Disconnected and No IP Using NAT
  • Linux How To Create A RamDisk
  • mdadm force resync when resync=PENDING solution
  • Proxmox Breaks Storage/LVM Backing If Killing QEMU-IMG
  • Proxmox trying to acquire lock... TASK ERROR: can't lock file '/var/lock/qemu-server/lock-102.conf' - got timeout
  • Debian 9 SSH root password authentication failure password not working problem / solution
  • QEMU / KVM How To Manually Create Basic Virtual Machine VM
  • Linux wlan0 check all wireless clients
  • PHP Issues With Decoding Strange Smart Quotes And Non-Standard ASCII Characters
  • /etc/iproute2/rt_tables default settings file in Linux Centos 6,7 and most other NIX's
  • bind named error solutions named[2169]: error (no valid DS) resolving / error (broken trust chain) resolving / : error (no valid RRSIG) resolving 'com/DS/IN':
  • iptables how to log ALL dropped incoming packets
  • How To Edit Linux Based NM Network Manager Connection Settings Without GUI
  • Linux Disable IPV6 Centos / Debian / Mint Howto
  • Linux use growisofs to burn a larger file on a BD-R / Bluray Disc
  • Linux partprobe/partx cannot access last and 4th partition
  • DRBD Errors Caused By Physical Corruption
  • mdadm: add new device failed for /dev/sdb4 as 3: Invalid argument solution
  • Linux named / bind how to dump, view and clear the cache!
  • Centos 6 / 7 / 8 How To Change Default nameservers in /etc/resolv.conf when using DHCP / dhclient