When I decided to actually start blogging again–even though I get very little traffic–I thought it was important to enable SSL because I believe in encryption. There was a time when anyone, with little to no IT knowledge, could sit at a Starbucks and intercept login information for anyone using the wireless. Nowadays that traffic is encrypted by default because of a push to increase security and protect your users. Now it is frowned upon it accept login credentials without SSL being configured. To keep this post short I will not get into information on what some people are calling the next cryptowars.
I moved this blog to a VPS provider and setup a simple LAMP stack with all the latest updates. Then from there I restored my blog and, finally, configured encryption. Good enough, right? Everything is fully up-to-date and encrypted so what is next? I came across various hardening guides and a free tool from Qualys called SSL Labs. This tool is capable of scanning a website from the outside and provides an in-depth look at the SSL configuration. I was a bit surprised when my website returned a C grade but after reviewing the report it made a lot of sense.
- SSL 3 enabled (POODLE attack) – Grade capped to C
- Accepts RC4 ciphers – Grade capped to B
- Server does not support Forward Secrecy
- Cert Chain contains anchor
- Incorrect SNI alerts
Disable SSL version 3
The first thing I did was disable the old version of SSL. So I started by editing /etc/apache2/mods-enabled/ssl.conf Near the bottom I added -SSLv3 and saved the file. On older versions of Apache you may need to add -SSLv2 as well.
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol all -SSLv2 -SSLv3
After this change I restarted Apache (sudo service apache2 restart) and ran a new test. This time I was up to grade B.
Disable RC4 ciphers
This change I had to Google what had to be done. I found this guide, here, which actually shows a lot of the changes you need to make in order to harden your sever SSL settings. We need to edit the ssl.conf file again.
- Change the SSLCipher Suite to the one below:
- Turn on SSLHonorCipherOrder
This will not only disable RC4 ciphers but it will turn on support for perfect forward secrecy.
Remove chain anchor
This one actually took a bit of troubleshooting. It turns out the bundle certificate that Name Cheap included with my SSL certificate included a certificate that was not needed. In order to correct this I opened the bundle.crt file with nano and removed the last certificate in the list. After restarting Apache the error was gone. Make a backup before doing this just in case the one that needs to be removed is not at the end.
Correct SNI Alert
This error was a configuration problem from when I setup the Virtual Hosts. I simply had to add a ServerAlias for the port 443 VirtualHost.
After this modification my website received an A.
HTTP Strict Transport Security with long duration
The last step was to enable HTTP Strict Transport Security with long duration. This was another modification that I had to turn to Google. It was also another change to the port 443 VirtualHost.
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
I also had to run sudo a2enmod headers and finally restart apache2 again.