thr3ads.net - CentOS - [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs [Apr 2017]

If this information is useful, please help other people find it:
Share via:

Nicolas Kovacs

2017-Apr-26 06:58 UTC

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Hi,

I'm currently experimenting with a public server running CentOS 7. I
have half a dozen production servers all running Slackware Linux, and I
intend to progressively migrate them to CentOS, for a host of reasons
(support cycle, package availability, SELinux, etc.) But before doing
that, I have to figure out a few things that work differently under
CentOS. Apache and SSL behave quite differently under these two
distributions.

So far, Apache is running fine with HTTP and hosts a series of virtual
hosts.

I have installed Certbot and created a Let's Encrypt certificate for the
server.

I have a "dummy" website under /var/www/html/default/html.

I installed mod_ssl and only edited the following directives in
/etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.

--8<------------------------------------------------
...
DocumentRoot "/var/www/html/default/html"
ServerName sd-41893.dedibox.fr:443
...
SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem
SSLCertificateChainFile
/etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem
--8<------------------------------------------------

After restarting Apache, the website shows up correctly.

https://sd-41893.dedibox.fr/

But when I test it using Qualys SSL Labs Server Test, the results are a
disappointment.

https://www.ssllabs.com/ssltest/

The site is rated "C", with the following remarks:

* This server is vulnerable to the POODLE attack. If possible, disable
SSL 3 to mitigate. Grade capped to C."

"This server accepts RC4 cipher, but only with older protocols. Grade
capped to B."

"The server does not support Forward Secrecy with the reference
browsers."

"This site works only in browsers with SNI support."

I googled a bit, and to my surprise I only found articles about Apache
and SSL on CentOS that seem - more or less - to use the default ssl.conf
configuration.

On a side note, my Slackware servers have a default usable
/etc/httpd/extra/httpd-ssl.conf file that gets an "A" on Qualys Labs,
and even an "A+" when you add a two-liner.

Any suggestions on improving that?

Cheers,

Niki Kovacs


-- 
Microlinux - Solutions informatiques durables
7, place de l'?glise - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info at microlinux.fr
T?l. : 04 66 63 10 32

Tru Huynh

2017-Apr-26 08:30 UTC

head link

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Hi,

On Wed, Apr 26, 2017 at 08:58:39AM +0200, Nicolas Kovacs wrote:
...> * This server is vulnerable to the POODLE attack. If possible, disable
> SSL 3 to mitigate. Grade capped to C."https://wiki.centos.org/Security/POODLE

<...>

Tru
-- 
Tru Huynh 
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20170426/f8699e1f/attachment-0001.sig>

Steven Tardy

2017-Apr-26 12:16 UTC

head link

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at microlinux.fr>
wrote:
> 
> The site is rated "C"
The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This
Mozilla resource is excellent for getting apache tls config up-to-date.

https://wiki.mozilla.org/Security/Server_Side_TLS

James Hogarth

2017-Apr-26 14:16 UTC

head link

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

On 26 April 2017 at 13:16, Steven Tardy <sjt5atra at gmail.com>
wrote:>
>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at
microlinux.fr> wrote:
>>
>> The site is rated "C"
>
> The RHEL/CentOS out-of-the-box apache tls is a little old but operational.
This Mozilla resource is excellent for getting apache tls config up-to-date.
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
I'm not 100% on any differences in ciphers available, but I don't
think there should be much difference between EL7 and Fedora.

This config gets my an A+ rating on the sslabs test:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
!CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
</IfModule>

https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com

IIRC the Red Hat defaults are somewhat conservative on their
limitations in order to simplify and maximise client connectivity - as
some stuff (especially java apps or older mobile devices) tend to
struggle otherwise with only a strict set of secure ciphers.

Walter H.

2017-Apr-29 13:10 UTC

head link

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

On 26.04.2017 08:58, Nicolas Kovacs wrote:> Hi,
>
> I'm currently experimenting with a public server running CentOS 7. I
> have half a dozen production servers all running Slackware Linux, and I
> intend to progressively migrate them to CentOS, for a host of reasons
> (support cycle, package availability, SELinux, etc.) But before doing
> that, I have to figure out a few things that work differently under
> CentOS. Apache and SSL behave quite differently under these two
> distributions.
>
> So far, Apache is running fine with HTTP and hosts a series of virtual
> hosts.
>
> I have installed Certbot and created a Let's Encrypt certificate for
the
> server.
>
> I have a "dummy" website under /var/www/html/default/html.
>
> I installed mod_ssl and only edited the following directives in
> /etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.
>
> --8<------------------------------------------------
> ...
> DocumentRoot "/var/www/html/default/html"
> ServerName sd-41893.dedibox.fr:443
> ...
> SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem
> SSLCertificateChainFile
> /etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem
> --8<------------------------------------------------
>
> After restarting Apache, the website shows up correctly.
>
> https://sd-41893.dedibox.fr/
>
> But when I test it using Qualys SSL Labs Server Test, the results are a
> disappointment.
with this:

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite 
'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'

SSLHonorCipherOrder on
SSLStrictSNIVHostCheck on

you get Grade A+

Possibly Parallel Threads

Search for more reasonably related threads

CentOS - Apr 2017 - Apache + SSL: default configuration rated "C" by Qualys Labs

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Possibly Parallel Threads