Monday, January 20, 2014

Migrating apache 2.2 to 2.4 to support forward secrecy

Apache 2.2 and below are compromised but Ubuntu will not support the security update in their 12.04LTS version, forcing users to migrate to 13.10 in order to support Apache 2.4. In our experience so far the only changes needed were:

Remove below sections apache2.conf

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
LockFile ${APACHE_LOCK_DIR}/accept.lock
...
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain

Edit virtual host

...
 SSLProtocol all -SSLv2
 SSLHonorCipherOrder on
 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
...
Reminder: If you are doing this in a new server like you should IMO, you will need to hardcode the domain to server IP mapping in /etc/hosts until the changes to DNS are performed. At that point remove the ip domain mapping.

No comments:

Followers