How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME

Many users still are not aware but simply patching OpenSSL does not secure you against many known and easy to exploit attacks that will render your encryption useless by an attacker.

Use the following setings in /etc/httpd/conf.d/ssl.conf
 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -all +TLSv1.2 -SSLv3 -SSLv2

The above passed all tests on RapidSSL https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

Vulnerabilities checked:
  • Heartbleed
  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME

Essentially what the above does is disable all known exploitable/weak ciphers and forces only TLS1.2 which is the only known secure version of TLS at this moment.  The settings above protect you against the listed vulnerabilities (just make sure you have a recent enough OpenSSL version that does support TLS 1.2, older distributions such as Centos 5 do not).


Tags:

ssl, tls, apache, settings, heartbleed, poodle, sslv, crimemany, users, patching, openssl, exploit, attacks, render, encryption, attacker, setings, etc, httpd, conf, sslciphersuite, quot, eecdh, ecdsa, aesgcm, arsa, sha, edh, camellia, des, rc, anull, enull, md, exp, psk, srp, dss, sslprotocol, tlsv, rapidssl, https, cryptoreport, checker, views, certcheck, jsp, vulnerabilities, essentially, disable, exploitable, ciphers, listed, distributions, centos,

Latest Articles

  • Linux Mint Mate Customize the Lock screen messages and hide username and real name
  • Ubuntu/Gnome/Mint/Centos How To Take a partial screenshot
  • ssh how to verify your host key / avoid MIM attacks
  • Cisco IP Phone CP-8845 8800/8900 Series How To Reset To Factory Settings Instructions
  • ls how to list ONLY directories
  • How to encrypt your SSH private key file id_rsa
  • Linux Mint 18 Disable User Name List from showing on Login Screen
  • Firefox Cannot Hit Enter Key In Address Bar and Location History Not Working
  • Cisco Unified Communications Manager / CUCM IP 8.6,10,12 Install Error Solution
  • Ubuntu Debian Mint Linux SSHD OpenSSH Server Not Starting After Reboot Solution
  • nmap how to scan for all ports and not just the 1000 most common ports
  • Windows 7,8,10 and Server 2008, 2012, 2016, 2019 Read Only Attribute Won't Go Away
  • bind / named how to make a wildcard record and retain defined A records
  • Cisco Unified Communications Manager 12 Install Errors on Proxmox/KVM
  • Local Vs Universally Administered MAC Address NIC Refuses to come up
  • Cisco Unified Communications Manager 12 CUCM 12 - How To Enable Video Calling
  • Windows 7, 8, 10, Windows Server 2008, 2012, 2016, 2019 How To AC97 Audio Drivers and Other Unsigned Drivers
  • Cisco Unified Communications Manager / CUCM IP Telephony Definitions
  • tftp Linux xinetd verbose logging
  • Linux delete unused tap devices automatically