How to Properly Secure SSL/TLS Apache Settings against Heartbleed Poodle (TLS) Poodle (SSLv3) FREAK BEAST CRIME

Many users still are not aware but simply patching OpenSSL does not secure you against many known and easy to exploit attacks that will render your encryption useless by an attacker.

Use the following setings in /etc/httpd/conf.d/ssl.conf
 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -all +TLSv1.2 -SSLv3 -SSLv2

The above passed all tests on RapidSSL https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

Vulnerabilities checked:
  • Heartbleed
  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME

Essentially what the above does is disable all known exploitable/weak ciphers and forces only TLS1.2 which is the only known secure version of TLS at this moment.  The settings above protect you against the listed vulnerabilities (just make sure you have a recent enough OpenSSL version that does support TLS 1.2, older distributions such as Centos 5 do not).

Latest Articles

  • prosody xmpp server "Failed in all attempts to connect to proxy.eu.jabber.org"
  • VMWare ESXi 6.7 SSH/PowerShell CLI Commands
  • VMWare Vsphere VCSA Graphical Install Creates json
  • error while loading shared libraries: libasound.so.2: cannot open shared object file: No such file or directory
  • ./xmr-stak: error while loading shared libraries: libmicrohttpd.so.10: cannot open shared object file: No such file or directory
  • qemu-img resize howto
  • gmail.com address failing in Postfix
  • VMWare Hardware virtualization is selected and cannot be deselected due to selection of VBS Insufficient resources to satisfy configured failover level for vSphere HA.
  • Debian Mint Ubuntu compiling xmr-stak
  • ./nsgpucnminer: error while loading shared libraries: libOpenCL.so.1w: cannot open shared object file: No such file or directory
  • *** These critical programs are missing or too old: gawk
  • migration/4 migration 4 is using too much CPU
  • convert.im6: Unknown field with tag 317 (0x13d) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/788.
  • Python SyntaxError: Missing parentheses in call to 'print'
  • Linux How To Rename Files
  • OpenVZ container will not stop Child 546246 exited with status 1
  • [warn] VirtualHost 10.2.5.101:443 overlaps with VirtualHost 10.2.5.101:443, the first has precedence, perhaps you need a NameVirtualHost directive
  • Ethereum Client Errors
  • PayPal IPN Failed "result: IPN Handshake Invalid"
  • Linux Centos 7 HowTo Install Yarn