Hi,
I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite differently under these two distributions.
So far, Apache is running fine with HTTP and hosts a series of virtual hosts.
I have installed Certbot and created a Let's Encrypt certificate for the server.
I have a "dummy" website under /var/www/html/default/html.
I installed mod_ssl and only edited the following directives in /etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.
--8<------------------------------------------------ ... DocumentRoot "/var/www/html/default/html" ServerName sd-41893.dedibox.fr:443 ... SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem --8<------------------------------------------------
After restarting Apache, the website shows up correctly.
But when I test it using Qualys SSL Labs Server Test, the results are a disappointment.
https://www.ssllabs.com/ssltest/
The site is rated "C", with the following remarks:
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C."
"This server accepts RC4 cipher, but only with older protocols. Grade capped to B."
"The server does not support Forward Secrecy with the reference browsers."
"This site works only in browsers with SNI support."
I googled a bit, and to my surprise I only found articles about Apache and SSL on CentOS that seem - more or less - to use the default ssl.conf configuration.
On a side note, my Slackware servers have a default usable /etc/httpd/extra/httpd-ssl.conf file that gets an "A" on Qualys Labs, and even an "A+" when you add a two-liner.
Any suggestions on improving that?
Cheers,
Niki Kovacs
Hi,
On Wed, Apr 26, 2017 at 08:58:39AM +0200, Nicolas Kovacs wrote: ...
- This server is vulnerable to the POODLE attack. If possible, disable
SSL 3 to mitigate. Grade capped to C."
https://wiki.centos.org/Security/POODLE
<...>
Tru
On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs info@microlinux.fr wrote:
The site is rated "C"
The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
On 26 April 2017 at 13:16, Steven Tardy sjt5atra@gmail.com wrote:
On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs info@microlinux.fr wrote:
The site is rated "C"
The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
I'm not 100% on any differences in ciphers available, but I don't think there should be much difference between EL7 and Fedora.
This config gets my an A+ rating on the sslabs test:
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule>
https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
IIRC the Red Hat defaults are somewhat conservative on their limitations in order to simplify and maximise client connectivity - as some stuff (especially java apps or older mobile devices) tend to struggle otherwise with only a strict set of secure ciphers.
On 26/04/17 16:16, James Hogarth wrote:
On 26 April 2017 at 13:16, Steven Tardy sjt5atra@gmail.com wrote:
On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs info@microlinux.fr wrote:
The site is rated "C"
The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
I'm not 100% on any differences in ciphers available, but I don't think there should be much difference between EL7 and Fedora.
This config gets my an A+ rating on the sslabs test:
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule>
https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
IIRC the Red Hat defaults are somewhat conservative on their limitations in order to simplify and maximise client connectivity - as some stuff (especially java apps or older mobile devices) tend to struggle otherwise with only a strict set of secure ciphers.
Outside of Qualys, I found the following sites interesting :
https://cipherli.st/ (recommandations) https://ssldecoder.org (testing tool)
Am 26.04.2017 um 17:17 schrieb Fabian Arrotin arrfab@centos.org:
On 26/04/17 16:16, James Hogarth wrote:
On 26 April 2017 at 13:16, Steven Tardy sjt5atra@gmail.com wrote:
On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs info@microlinux.fr wrote:
The site is rated "C"
The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
I'm not 100% on any differences in ciphers available, but I don't think there should be much difference between EL7 and Fedora.
This config gets my an A+ rating on the sslabs test:
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule>
https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
IIRC the Red Hat defaults are somewhat conservative on their limitations in order to simplify and maximise client connectivity - as some stuff (especially java apps or older mobile devices) tend to struggle otherwise with only a strict set of secure ciphers.
Outside of Qualys, I found the following sites interesting :
https://cipherli.st/ (recommandations) https://ssldecoder.org (testing tool)
+
https://access.redhat.com/articles/1462183
-- LF
Le 26/04/2017 à 16:16, James Hogarth a écrit :
I'm not 100% on any differences in ciphers available, but I don't think there should be much difference between EL7 and Fedora.
This config gets my an A+ rating on the sslabs test:
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule>
https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
IIRC the Red Hat defaults are somewhat conservative on their limitations in order to simplify and maximise client connectivity - as some stuff (especially java apps or older mobile devices) tend to struggle otherwise with only a strict set of secure ciphers.
Thanks for the detailed explanation!
On 26.04.2017 08:58, Nicolas Kovacs wrote:
Hi,
I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite differently under these two distributions.
So far, Apache is running fine with HTTP and hosts a series of virtual hosts.
I have installed Certbot and created a Let's Encrypt certificate for the server.
I have a "dummy" website under /var/www/html/default/html.
I installed mod_ssl and only edited the following directives in /etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.
--8<------------------------------------------------ ... DocumentRoot "/var/www/html/default/html" ServerName sd-41893.dedibox.fr:443 ... SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem --8<------------------------------------------------
After restarting Apache, the website shows up correctly.
But when I test it using Qualys SSL Labs Server Test, the results are a disappointment.
with this:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'
SSLHonorCipherOrder on SSLStrictSNIVHostCheck on
you get Grade A+
-
Fabian Arrotin -
James Hogarth -
Leon Fauster -
Nicolas Kovacs -
Steven Tardy -
Tru Huynh -
Walter H.