How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME -

How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME

Many users still are not aware but simply patching OpenSSL does not secure you against many known and easy to exploit attacks that will render your encryption useless by an attacker.

Use the following setings in /etc/httpd/conf.d/ssl.conf
 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -all +TLSv1.2 -SSLv3 -SSLv2

The above passed all tests on RapidSSL https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

Vulnerabilities checked:
  • Heartbleed
  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME

Essentially what the above does is disable all known exploitable/weak ciphers and forces only TLS1.2 which is the only known secure version of TLS at this moment.  The settings above protect you against the listed vulnerabilities (just make sure you have a recent enough OpenSSL version that does support TLS 1.2, older distributions such as Centos 5 do not).


  • Linux how to view video card make and exact model
  • Authentication refused: bad ownership or modes for directory /home/user SSH Public Key Authentication Failed Solution
  • How to Update Linux /usr/share/misc/pci.ids
  • pcimodules and lspci not working alternative solution
  • How to disable Google Fonts in Wordpress
  • Unable to load dynamic library /usr/lib64/php/modules/php_openssl
  • mysqld in Linux hacked
  • W: GPG error: http://archive.debian.org squeeze Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA NO_PUBKEY 64481591B98321F9
  • cannot mount kvm ntfs image
  • h264 DVR security camera footage cannot be played
  • dhcpd.conf how to secure so only known and allowed clients will be given dhcpd IP address leases
  • Thunderbird E-mail List Blank White but e-mails still clickable and viewable
  • css responsive images
  • responsive table without changing much code solution
  • yum how to install old obsolete packages
  • PHP Howto Store Value of Included File Output Into Variable
  • PHP Migration from 5.3 to 5.4+ and dealing with deprecated functions
  • ffmpeg vidstab to stabilize video
  • userdel user userdel: cannot lock /etc/passwd; try again later.
  • mdadm how to mount inactive array