Is Simply Enabling SSL Enough?

Is Simply Enabling SSL Enough?

aplusWhen I decided to actually start blogging again–even though I get very little traffic–I thought it was important to enable SSL because I believe in encryption. There was a time when anyone, with little to no IT knowledge, could sit at a Starbucks and intercept login information for anyone using the wireless. Nowadays that traffic is encrypted by default because of a push to increase security and protect your users. Now it is frowned upon it accept login credentials without SSL being configured. To keep this post short I will not get into information on what some people are calling the next cryptowars.

I moved this blog to a VPS provider and setup a simple LAMP stack with all the latest updates. Then from there I restored my blog and, finally, configured encryption. Good enough, right? Everything is fully up-to-date and encrypted so what is next? I came across various hardening guides and a free tool from Qualys called SSL Labs. This tool is capable of scanning a website from the outside and provides an in-depth look at the SSL configuration. I was a bit surprised when my website returned a C grade but after reviewing the report it made a lot of sense.

Configuration Issues

  • SSL 3 enabled (POODLE attack) – Grade capped to C
  • Accepts RC4 ciphers – Grade capped to B
  • Server does not support Forward Secrecy
  • Cert Chain contains anchor
  • Incorrect SNI alerts

Disable SSL version 3

The first thing I did was disable the old version of SSL. So I started by editing /etc/apache2/mods-enabled/ssl.conf Near the bottom I added -SSLv3 and saved the file. On older versions of Apache you may need to add -SSLv2 as well.

# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol all -SSLv2 -SSLv3

After this change I restarted Apache (sudo service apache2 restart) and ran a new test. This time I was up to grade B.

Disable RC4 ciphers

This change I had to Google what had to be done. I found this guide, here, which actually shows a lot of the changes you need to make in order to harden your sever SSL settings. We need to edit the ssl.conf file again.

  1. Change the SSLCipher Suite to the one below:
  2. Turn on SSLHonorCipherOrder

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DE:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

 

SSLHonorCipherOrder on

This will not only disable RC4 ciphers but it will turn on support for perfect forward secrecy.

Remove chain anchor

This one actually took a bit of troubleshooting. It turns out the bundle certificate that Name Cheap included with my SSL certificate included a certificate that was not needed. In order to correct this I opened the bundle.crt file with nano and removed the last certificate in the list. After restarting Apache the error was gone. Make a backup before doing this just in case the one that needs to be removed is not at the end.

Correct SNI Alert

This error was a configuration problem from when I setup the Virtual Hosts. I simply had to add a ServerAlias for the port 443 VirtualHost.

<VirtualHost _default_:443>

ServerName blissjoe.com
ServerAlias www.blissjoe.com

After this modification my website received an A.

HTTP Strict Transport Security with long duration

The last step was to enable HTTP Strict Transport Security with long duration. This was another modification that I had to turn to Google. It was also another change to the port 443 VirtualHost.

<VirtualHost _default_:443>
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

ServerName blissjoe.com
ServerAlias www.blissjoe.com

I also had to run sudo a2enmod headers and finally restart apache2 again.

ssllabs-a

One thought on “Is Simply Enabling SSL Enough?

Leave a Reply

Your email address will not be published. Required fields are marked *