How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME -

How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME

Many users still are not aware but simply patching OpenSSL does not secure you against many known and easy to exploit attacks that will render your encryption useless by an attacker.

Use the following setings in /etc/httpd/conf.d/ssl.conf
 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -all +TLSv1.2 -SSLv3 -SSLv2

The above passed all tests on RapidSSL https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

Vulnerabilities checked:
  • Heartbleed
  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME

Essentially what the above does is disable all known exploitable/weak ciphers and forces only TLS1.2 which is the only known secure version of TLS at this moment.  The settings above protect you against the listed vulnerabilities (just make sure you have a recent enough OpenSSL version that does support TLS 1.2, older distributions such as Centos 5 do not).


  • /usr/bin/ld: cannot find -lboost_system-mt-s /usr/bin/ld: cannot find -lboost_filesystem-mt-s /usr/bin/ld: cannot find -lboost_program_options-mt-s /usr/bin/ld: cannot find -lboost_thread-mt-s collect2: error: ld returned 1 exit status make: *** [cag
  • Wine uninstalled broken on Linux Mint
  • ffmpeg trouble concatenating similar but different files
  • ffmpeg Unable to Use Hardware Encoding with Nvidia 3.40 Driver and GT210 card
  • Linux Mint USB Kernel Tainted and Locked Port/Dev File
  • ffmpeg Linux Mint download, compile and install howto
  • OpenVZ error : Container start failed (try to check kernel messages, e.g. "dmesg | tail") Locked by: pid 166638, cmdline vzctl start 888171
  • How to extract view contents of initramfs image gzip'd
  • Linux how to copy GPT partition table with dd
  • Centos 7 How To Change Hostname
  • Debian/Mint/Ubuntu Font Packs/Recommended To Install
  • Migrate Centos 7 from Single HDD to mdadm RAID 10 array:
  • How to change reserved blocks in Linux partition
  • Reading package lists... Done W: GPG error: http://ppa.launchpad.net trusty InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D46F45428842CE5E
  • Centos 7 A start job is running for dev-mapper-clx2droot.device (8min 44s / no limit)
  • USB 3.0 External HDD Enclosure Seagate UAS problems - [sdd] tag#1 CDB: Write(16) 8a 00 00 00 00 01 70 04 08 68 00 00 00 08 00 00
  • Centos 7 Cudaminer Nvidia setup guide
  • USB 3.0 PCI x1 Card Review VIA VL805 on Linux Review and Experience
  • rsync run as root sudo without password
  • Why won't my Linux Mint boot after I manually installed a new kernel?