Thursday, September 22, 2011

Securing your Apache SSL site

The default apache SSL configuration accepts weak RC4+RSA cipher and SSL v2 both of which are vulnerable
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Here is what you have to do to make it secure.

SSLProtocol all -SSLv2
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!EXP:!MD5:!NULL
SSLHonorCipherOrder on

If you are in doubts you can use ssllabs free service to find out if your SSL server is secure enough.

You will be amazed how many websites are vulnerable to MIM attacks just because of the fact that some people still think it is enough to buy a signed certificate. What is perhaps even more sad is that some people were surprised about the recent Diginotar hack but if you actually run the test for www.diginotar.com you will see it rated as "D" because it accepts weak ciphers and still supports insecure SSL 2.0. At the time of this writing that is still the case (https://www.ssllabs.com/ssldb/analyze.html?d=www.diginotar.com). Below are the results I just got:

Please do yourself a favor and make sure your website is hosted in an "A" rated SSL host.

No comments:

Followers