Difference between revisions of "Apache SSL/TLS Security Settings"

From IVS Wiki
Jump to: navigation, search
 
Line 4: Line 4:
 
# Comment out this line by placing a '''#''' at the beginning of the line.
 
# Comment out this line by placing a '''#''' at the beginning of the line.
 
# Add the following lines below the line that you just commented out:
 
# Add the following lines below the line that you just commented out:
<pre>SSLProtocol ALL -SSLv2 -SSLv3
+
<pre>SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
 
SSLHonorCipherOrder On
 
SSLHonorCipherOrder On
 
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</pre>
 
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</pre>
Line 13: Line 13:
 
# Scroll to the bottom of the file.
 
# Scroll to the bottom of the file.
 
# Add the following lines:
 
# Add the following lines:
<pre>SSLProtocol ALL -SSLv2 -SSLv3
+
<pre>SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
 
SSLHonorCipherOrder On
 
SSLHonorCipherOrder On
 
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</pre>
 
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</pre>

Latest revision as of 13:03, 16 January 2020

  1. Connect to the server via ssh or access the shell via the console.
  2. Type in the following, and then press Enter:
    sudo nano /etc/apache2/sites-enabled/default-ssl.conf
  3. Locate the line in the file
    SSLProtocol ALL -SSLv2
  4. Comment out this line by placing a # at the beginning of the line.
  5. Add the following lines below the line that you just commented out:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  1. Type CTRL-X and then press Enter to exit.
  2. Enter Y to save changes.
  3. Do not change the name and press Enter to save the changes.
  4. Type in the following, and then press Enter:
    sudo nano /etc/apache2/apache2.conf
  5. Scroll to the bottom of the file.
  6. Add the following lines:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  1. Type CTRL-X and then press Enter to exit.
  2. Enter Y to save changes.
  3. Do not change the name, and press Enter to save the changes.
  4. Type in the following, and then press Enter:
    sudo service apache2 restart

You can verify the active ciphers by running the following command:

nmap -sV --script ssl-enum-ciphers -p 443 <host>