Difference between revisions of "Apache SSL/TLS Security Settings"
IVSWikiBlue (talk | contribs) |
IVSWikiBlue (talk | contribs) |
||
| Line 1: | Line 1: | ||
# Connect to the server via ssh or access the shell via the console. | # Connect to the server via ssh or access the shell via the console. | ||
| − | # Type '''sudo nano /etc/apache2/sites-enabled/default-ssl.conf''' | + | # Type '''sudo nano /etc/apache2/sites-enabled/default-ssl.conf'''. |
| − | # Locate the line in the file '''SSLProtocol ALL -SSLv2''' | + | # Locate the line in the file '''SSLProtocol ALL -SSLv2'''. |
# Comment out this line by placing a '''#''' at the beginning of the line. | # Comment out this line by placing a '''#''' at the beginning of the line. | ||
# Add the following lines below the line that you just commented out: | # Add the following lines below the line that you just commented out: | ||
| Line 7: | Line 7: | ||
#: '''SSLHonorCipherOrder On''' | #: '''SSLHonorCipherOrder On''' | ||
#: '''SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS''' | #: '''SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS''' | ||
| − | # Press '''CTRL-X''' to exit | + | # Press '''CTRL-X''' to exit. |
# Enter '''Y''' to save changes. | # Enter '''Y''' to save changes. | ||
# Do not change the name and press enter to save the changes. | # Do not change the name and press enter to save the changes. | ||
| − | # Type '''sudo nano /etc/apache2/apache2.conf''' | + | # Type '''sudo nano /etc/apache2/apache2.conf'''. |
# Scroll to the bottom of the file. | # Scroll to the bottom of the file. | ||
# Add the following lines: | # Add the following lines: | ||
| Line 16: | Line 16: | ||
#: '''SSLHonorCipherOrder On''' | #: '''SSLHonorCipherOrder On''' | ||
#: '''SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS''' | #: '''SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS''' | ||
| − | # Press '''CTRL-X''' to exit | + | # Press '''CTRL-X''' to exit. |
# Enter '''Y''' to save changes. | # Enter '''Y''' to save changes. | ||
| − | # Do not change the name and press | + | # Do not change the name, and press '''Enter''' to save the changes. |
| − | # Type '''sudo service apache2 restart''' | + | # Type '''sudo service apache2 restart'''. |
You can verify the active ciphers by running the following command: | You can verify the active ciphers by running the following command: | ||
'''nmap -sV --script ssl-enum-ciphers -p 443 <host>''' | '''nmap -sV --script ssl-enum-ciphers -p 443 <host>''' | ||
Revision as of 08:28, 22 April 2019
- Connect to the server via ssh or access the shell via the console.
- Type sudo nano /etc/apache2/sites-enabled/default-ssl.conf.
- Locate the line in the file SSLProtocol ALL -SSLv2.
- Comment out this line by placing a # at the beginning of the line.
- Add the following lines below the line that you just commented out:
- SSLProtocol ALL -SSLv2 -SSLv3
- SSLHonorCipherOrder On
- SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- Press CTRL-X to exit.
- Enter Y to save changes.
- Do not change the name and press enter to save the changes.
- Type sudo nano /etc/apache2/apache2.conf.
- Scroll to the bottom of the file.
- Add the following lines:
- SSLProtocol ALL -SSLv2 -SSLv3
- SSLHonorCipherOrder On
- SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- Press CTRL-X to exit.
- Enter Y to save changes.
- Do not change the name, and press Enter to save the changes.
- Type sudo service apache2 restart.
You can verify the active ciphers by running the following command:
nmap -sV --script ssl-enum-ciphers -p 443 <host>
