Difference between revisions of "Apache SSL/TLS Security Settings"
IVSWikiBlue (talk | contribs) |
IVSWikiBlue (talk | contribs) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
# Comment out this line by placing a '''#''' at the beginning of the line. | # Comment out this line by placing a '''#''' at the beginning of the line. | ||
# Add the following lines below the line that you just commented out: | # Add the following lines below the line that you just commented out: | ||
| − | <pre>SSLProtocol ALL -SSLv2 -SSLv3 | + | <pre>SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 |
SSLHonorCipherOrder On | SSLHonorCipherOrder On | ||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</pre> | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</pre> | ||
# Type '''CTRL-X''' and then press Enter to exit. | # Type '''CTRL-X''' and then press Enter to exit. | ||
# Enter '''Y''' to save changes. | # Enter '''Y''' to save changes. | ||
| − | # Do not change the name and press | + | # Do not change the name and press Enter to save the changes. |
# Type in the following, and then press Enter: <pre>sudo nano /etc/apache2/apache2.conf</pre> | # Type in the following, and then press Enter: <pre>sudo nano /etc/apache2/apache2.conf</pre> | ||
# Scroll to the bottom of the file. | # Scroll to the bottom of the file. | ||
# Add the following lines: | # Add the following lines: | ||
| − | <pre>SSLProtocol ALL -SSLv2 -SSLv3 | + | <pre>SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 |
SSLHonorCipherOrder On | SSLHonorCipherOrder On | ||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</pre> | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</pre> | ||
# Type '''CTRL-X''' and then press Enter to exit. | # Type '''CTRL-X''' and then press Enter to exit. | ||
# Enter '''Y''' to save changes. | # Enter '''Y''' to save changes. | ||
| − | # Do not change the name, and press | + | # Do not change the name, and press Enter to save the changes. |
# Type in the following, and then press Enter: <pre>sudo service apache2 restart</pre> | # Type in the following, and then press Enter: <pre>sudo service apache2 restart</pre> | ||
Latest revision as of 13:03, 16 January 2020
- Connect to the server via ssh or access the shell via the console.
- Type in the following, and then press Enter:
sudo nano /etc/apache2/sites-enabled/default-ssl.conf
- Locate the line in the file
SSLProtocol ALL -SSLv2
- Comment out this line by placing a # at the beginning of the line.
- Add the following lines below the line that you just commented out:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- Type CTRL-X and then press Enter to exit.
- Enter Y to save changes.
- Do not change the name and press Enter to save the changes.
- Type in the following, and then press Enter:
sudo nano /etc/apache2/apache2.conf
- Scroll to the bottom of the file.
- Add the following lines:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- Type CTRL-X and then press Enter to exit.
- Enter Y to save changes.
- Do not change the name, and press Enter to save the changes.
- Type in the following, and then press Enter:
sudo service apache2 restart
You can verify the active ciphers by running the following command:
nmap -sV --script ssl-enum-ciphers -p 443 <host>
