SSL Cipher Settings (PCI Compliant)
If you going to use SSL for your site, make sure that you disable low level ciphers.
To do this, simply edit:
#/etc/httpd/conf.d/ssl.conf SSLProtocol -ALL +SSLv3 +TLSv1 SSLHonorCipherOrder On SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RCA4+RSA:+HIGH:!LOW:!MEDIUM #Save the file and restart the apache service httpd restart #check to see if the settings are working openssl s_client -connect localhost:443 -cipher EXP:HIGH #the below command should throw you an error openssl s_client -connect localhost:443 -cipher EXP:LOW openssl s_client -connect localhost:443 -cipher EXP:MEDIUM
By default CentOs comes with openssl version 1.0.0. However openssl has been updated a year ago to 1.0.1 to support high ciphers such as TLS 1.1 and 1.2. Normally, before updating the openssl, I would backup the server first if anything goes wrong. The reason is that openssl is used by many programs within the linux.
To update the openssl, you will need to manually install the package by rpm
#installing openssl 1.0.1e rpm -Uvh http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-10.ius.el6.noarch.rpm #install yom-plugin-replace yum install yum-plugin-replace #replacing openssl 1.0.1e name yum replace openssl --replace-with openssl10
I have also replaced the above SSLCipherSuite to
SSLCipherSuite 'AESGCM:RC4:SHA384:SHA256:AES !aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!kEDH:!PSK:!SRP:!kECDH'
You should also disable SSL Compression as it is vulnerable to CRIME attack according to ssllabs.com
# /etc/httpd/conf/httpd.conf # Disable Module within Apache by using a # #LoadModule deflate_module modules/mod_deflate.so
and then:
echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1
# Restart Apache Server service httpd restart
After you had finished the configuration, have your site be tested with http://www.ssllabs.com