Recommendations for TLS implementation

dualmonitor

November 13, 2013 12:46

Mozilla recently updated this page: ) That said, does anyone have any feelings about how should we modify the recommendations for Apache found on that page from Mozilla:


    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile   /path/to/private/key
    SSLCACertificateFile    /path/to/all_ca_certs
    SSLProtocol             all -SSLv2
    SSLCipherSuite          
    SSLHonorCipherOrder     on
    SSLCompression          off

    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)
 
    # Enable this if your want HSTS (recommended, but be careful)
    # Header add Strict-Transport-Security "max-age=15768000"
 
    ...

I know HSTS is straightforward (and awesome). But I'm curious about the rest.

Comments

3 comments

cPanelMichael

November 15, 2013 15:17
Hello :) I just wanted to note there is a workaround available at: Update cPanel TLS It's not something we directly support but you are welcome to explore using it if necessary. Thank you.
0
robb3369

February 01, 2014 03:30
Actually, we have cPanel 11.40.1 running on CloudLinux 6.5 with OpenSSL 1.0.1e-fips (but only at Apache 2.2.26), I've managed to get HSTS running (based on a single site) by adding using the templates covered here: [url=http://docs.cpanel.net/twiki/bin/vief/EasyApache/EasyApacheCustomDirectivesOutsideVirtualHost#Custom Templates]Custom Templates Basically added the following snippet: # Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
I used 6 months which is the min for SSLLabs.com testing... We scored a A+, the individual scores would be higher if we disabled support for older browsers like IE6 and 7, but we have users still using those. Once I get things wrapped up, I will post a full follow-up...
0
vlee

February 05, 2014 18:36
[quote="robb3369, post: 1561502">Actually, we have cPanel 11.40.1 running on CloudLinux 6.5 with OpenSSL 1.0.1e-fips (but only at Apache 2.2.26), I've managed to get HSTS running (based on a single site) by adding using the templates covered here: [url=http://docs.cpanel.net/twiki/bin/vief/EasyApache/EasyApacheCustomDirectivesOutsideVirtualHost#Custom Templates]Custom Templates Basically added the following snippet: # Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
I used 6 months which is the min for SSLLabs.com testing... We scored a A+, the individual scores would be higher if we disabled support for older browsers like IE6 and 7, but we have users still using those. Once I get things wrapped up, I will post a full follow-up...
I have did this below in the httpd.conf file. Thus I scored A- SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
Then I have this below as TLS/SSL Cipher List. I know this be improved and I welcome those who have a better TLS/SSL Cipher List to score at least a A+ without causing issues that may arise. ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?