How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME -

How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME

Many users still are not aware but simply patching OpenSSL does not secure you against many known and easy to exploit attacks that will render your encryption useless by an attacker.

Use the following setings in /etc/httpd/conf.d/ssl.conf
 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -all +TLSv1.2 -SSLv3 -SSLv2

The above passed all tests on RapidSSL https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

Vulnerabilities checked:
  • Heartbleed
  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME

Essentially what the above does is disable all known exploitable/weak ciphers and forces only TLS1.2 which is the only known secure version of TLS at this moment.  The settings above protect you against the listed vulnerabilities (just make sure you have a recent enough OpenSSL version that does support TLS 1.2, older distributions such as Centos 5 do not).


  • How Do you Open/Extract .WARC Internet Archive Files on Linux Ubuntu/Mint/Centos?
  • How To Disable htaccess inheritance or exclude a directory
  • root/home directory has ownership changed to the wrong user/owner mysteriously
  • mdadm and lvm how to completely disable and remove vg/pv/lv
  • sshd[10470]: Authentication refused: bad ownership or modes for directory /root
  • LG Phoenix 2 Escape Disable AT&T Phonebook/Contacts Error Message
  • mdadm frozen and doesn't realize array is dead/missing failed due to unplugged drives
  • Unable to mount location Failed to retrieve share list from server: No such file or directory solution
  • mdadm how to make inactive array active
  • ImageMagick how to trim white space automatically in Linux
  • curl: (1) Protocol "https not supported or disabled in libcurl"
  • Centos 5 OpenSSL does not support TLS 1.2 Apache Error
  • DRBD Split-brain solution
  • How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME
  • K9 Mail Android Cannot See or View E-mails Disappear after reading - with Dovecot server. Solution
  • The folder contents could not be displayed connection refused - solution
  • Setting Up System for First Use... Please Wait... - WHMCS Installer
  • ERROR 2013 (HY000): Lost connection to MySQL server during query
  • if script bash check if socket file (mysql.sock) exists
  • ioncube loader install howto on PHP/Centos