OCSP stapling, Apache 2.4 & SPDY
Hi.
I'm very much a security novice and I don't manage my server myself (we have a fab hosting company who does most of the work), however I want to understand this a bit better.
I am wanting to enhance the encryption on the websites on our server. I read a great article on moving a website to fully SSL by Yoast which went through recommended settings in order to get a grade A+ on SSLLabs.
1) I want to enable OCSP stapling as in this article. In the article by Yoast, he says:
[QUOTE]It means that you sent status info about your certificate along with the request, instead of making the browser check the certificate with the Certificate Authority. This removes a large portion of the SSL overhead
In order to enable OCSP stapling, you need Apache 2.3.3 and later plus OpenSSL 0.9.8h. Does cPanel work with Apache 2.3 or 2.4? 2) I'd like to offer full support for "SPDY". When using the checker at spdycheck.org it said the NPN Extension was missing in the SSL/TLS Handshake. Does cPanel work with the NPN Extension and full support with SPDY? 3) The cypher suites that are used in WHM (at least in our installation) seem not be the best. Yoast uses the following:
Steve Gibson (of GRC and Security Now) seems to be using very similar one. How do I go about enhancing this?
In order to enable OCSP stapling, you need Apache 2.3.3 and later plus OpenSSL 0.9.8h. Does cPanel work with Apache 2.3 or 2.4? 2) I'd like to offer full support for "SPDY". When using the checker at spdycheck.org it said the NPN Extension was missing in the SSL/TLS Handshake. Does cPanel work with the NPN Extension and full support with SPDY? 3) The cypher suites that are used in WHM (at least in our installation) seem not be the best. Yoast uses the following:
ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;Steve Gibson (of GRC and Security Now) seems to be using very similar one. How do I go about enhancing this?
-
Hello :) 1. Yes, Apache 2.4 is available through EasyApache: /scripts/easyapache Or; "WHM Home " Software " EasyApache (Apache Update)" 2. SPDY support is not currently offered. You can review the reasons why on it's feature request page: [url=http://features.cpanel.net/responses/mod-spdy_2]mod_spdy | cPanel Feature Requests 3. This is configurable with the "SSL Cipher Suite" option in: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Thank you. 0 -
[quote="cPanelMichael, post: 1725961">Hello :) 1. Yes, Apache 2.4 is available through EasyApache: /scripts/easyapache Or; "WHM Home " Software " EasyApache (Apache Update)"
Thanks, I'll chat with my host about Apache 2.4 [quote="cPanelMichael, post: 1725961"> 2. SPDY support is not currently offered. You can review the reasons why on it's feature request page: [url=http://features.cpanel.net/responses/mod-spdy_2]mod_spdy | cPanel Feature Requests
That's a shame, but I understand that enabling it would have not good security implications. I do hope this can be sorted out in the future. [quote="cPanelMichael, post: 1725961"> 3. This is configurable with the "SSL Cipher Suite" option in: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Thank you.
Thanks- I have added the ciphers and we now have A+ ratings (via SSLlabs) across all our SSL websites. They even have perfect forward secrecy enabled which was expecting not to happen (as I had seen issues with other cPanel customers). :-)0 -
[quote="cPanelMichael, post: 1725961"> 2. SPDY support is not currently offered. You can review the reasons why on it's feature request page: [url=http://features.cpanel.net/responses/mod-spdy_2]mod_spdy | cPanel Feature Requests
Good news: SPDY's going to be integrated into Apache: [url=http://googledevelopers.blogspot.com/2014/06/modspdy-is-now-apache-project.html]Google Developers Blog: mod_spdy is now an Apache project Can't wait!0 -
Hello !, I also hope that soon we can see SPDY integrated CPANEL I have opened a new request: - Removed - You have any idea when it would be possible? 0 -
I've removed your link to the Feature Request you posted. It's in moderated mode and will likely be rejected because there is already a similar Feature Request for mod_spdy in play already with over 80 votes. It also has an Official Response made as well. You can find and vote for it, here: mod_spdy - cPanel Feature Requests Please feel free to add your comments and those links you provided in yours, to this one instead. Thanks! 0
Please sign in to leave a comment.
Comments
5 comments