CentOS - Apr 2017 - Apache + SSL: default configuration rated "C" by Qualys Labs

On 26 April 2017 at 13:16, Steven Tardy <sjt5atra at gmail.com>
wrote:
>
>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at
microlinux.fr> wrote:
>>
>> The site is rated "C"
>
> The RHEL/CentOS out-of-the-box apache tls is a little old but operational.
This Mozilla resource is excellent for getting apache tls config up-to-date.
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
I'm not 100% on any differences in ciphers available, but I don't
think there should be much difference between EL7 and Fedora.

This config gets my an A+ rating on the sslabs test:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
!CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
</IfModule>

https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com

IIRC the Red Hat defaults are somewhat conservative on their
limitations in order to simplify and maximise client connectivity - as
some stuff (especially java apps or older mobile devices) tend to
struggle otherwise with only a strict set of secure ciphers.

On 26/04/17 16:16, James Hogarth wrote:
> On 26 April 2017 at 13:16, Steven Tardy <sjt5atra at gmail.com>
wrote:
>>
>>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at
microlinux.fr> wrote:
>>>
>>> The site is rated "C"
>>
>> The RHEL/CentOS out-of-the-box apache tls is a little old but
operational. This Mozilla resource is excellent for getting apache tls config
up-to-date.
>>
>> https://wiki.mozilla.org/Security/Server_Side_TLS
> 
> I'm not 100% on any differences in ciphers available, but I don't
> think there should be much difference between EL7 and Fedora.
> 
> This config gets my an A+ rating on the sslabs test:
> 
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
> 
> <IfModule mod_headers.c>
>       Header always set Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
> </IfModule>
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
> 
> IIRC the Red Hat defaults are somewhat conservative on their
> limitations in order to simplify and maximise client connectivity - as
> some stuff (especially java apps or older mobile devices) tend to
> struggle otherwise with only a strict set of secure ciphers.
Outside of Qualys, I found the following sites interesting :

https://cipherli.st/ (recommandations)
https://ssldecoder.org (testing tool)

-- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20170426/50efa8b2/attachment-0001.sig>

> Am 26.04.2017 um 17:17 schrieb Fabian Arrotin <arrfab at centos.org>:
> 
> On 26/04/17 16:16, James Hogarth wrote:
>> On 26 April 2017 at 13:16, Steven Tardy <sjt5atra at gmail.com>
wrote:
>>> 
>>>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at
microlinux.fr> wrote:
>>>> 
>>>> The site is rated "C"
>>> 
>>> The RHEL/CentOS out-of-the-box apache tls is a little old but
operational. This Mozilla resource is excellent for getting apache tls config
up-to-date.
>>> 
>>> https://wiki.mozilla.org/Security/Server_Side_TLS
>> 
>> I'm not 100% on any differences in ciphers available, but I
don't
>> think there should be much difference between EL7 and Fedora.
>> 
>> This config gets my an A+ rating on the sslabs test:
>> 
>> SSLEngine on
>> SSLProtocol all -SSLv2 -SSLv3
>> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384
EECDH+aRSA+SHA256
>> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
>> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
>> 
>> <IfModule mod_headers.c>
>>      Header always set Strict-Transport-Security
"max-age=15768000;
>> includeSubDomains; preload"
>> </IfModule>
>> 
>> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
>> 
>> IIRC the Red Hat defaults are somewhat conservative on their
>> limitations in order to simplify and maximise client connectivity - as
>> some stuff (especially java apps or older mobile devices) tend to
>> struggle otherwise with only a strict set of secure ciphers.
> 
> Outside of Qualys, I found the following sites interesting :
> 
> https://cipherli.st/ (recommandations)
> https://ssldecoder.org (testing tool)
+

https://access.redhat.com/articles/1462183

--
LF

Le 26/04/2017 ? 16:16, James Hogarth a ?crit :
> I'm not 100% on any differences in ciphers available, but I don't
> think there should be much difference between EL7 and Fedora.
> 
> This config gets my an A+ rating on the sslabs test:
> 
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
> 
> <IfModule mod_headers.c>
>       Header always set Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
> </IfModule>
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
> 
> IIRC the Red Hat defaults are somewhat conservative on their
> limitations in order to simplify and maximise client connectivity - as
> some stuff (especially java apps or older mobile devices) tend to
> struggle otherwise with only a strict set of secure ciphers.
Thanks for the detailed explanation!

-- 
Microlinux - Solutions informatiques durables
7, place de l'?glise - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info at microlinux.fr
T?l. : 04 66 63 10 32