lately i tried to improve the SSL score for qualys ssllabs SSL configuration scanner. after a view tries i noticed that changes i made to SSLCipherSuite did not change anything at all – so there has to be a config file that overrides the settings for apache 2.2. qualys error: TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK Solution: what i learned is if you use an apache 2.2 with vhosts! the apache vhosts config for your site overrides the /etc/httpd/conf.d/ssl.conf settings! this behaviour makes no sense at all to me – nevertheless, here is the solution: settings i used for /etc/httpd/conf.d/ssl.conf
1 2 3 |
SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM |
and for /etc/httpd/conf/sites-available/.vhost
1 2 3 4 5 6 7 8 9 10 11 12 |
<VirtualHost *:443> ... <IfModule mod_ssl.c> SSLEngine on SSLCertificateFile <path to your .crt> SSLCertificateKeyFile <path to your .key> SSLCACertificateFile <path to your bundle> SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM </IfModule> |
thats the trick for an A- Rating. as far as i know A(+) Rating is not possible while running apache 2.2.
Continue reading »