Forward Secrecy

8 posts / 0 new
Last post
#1 Fri, 07/04/2014 - 11:03
bill56

Forward Secrecy

Hello:

SSL labs reduces their grade if the server does not support forward secrecy. They link to this on how to configure:

https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-depl...

---snip ---

Enabling forward secrecy can be done in two steps:

Configure your server to actively select the most desirable suite from the list offered by SSL clients. Put ECDHE and DHE suites to the top of your list. (The order is important; because ECDHE suites are faster, you want to use them whenever clients supports them.)

Knowing which suites to enable and move to the top can be tricky, because not all browsers (devices) support all forward secrecy suites. At this point you may want to look for inspiration from those who are already supporting forward secrecy, for example Google.

In the nutshell, these are some of the suites you might want to enable3 and push (close) to the top:

TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

---snip ---

I modified httpd.conf to include these ciphers like this:

SSLCipherSuite TLS_ECDHE_RSA_WITH_RC4_128_SHA: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: ECDH+AESGCM:DH+AESGCM:ECDH+AES256: DH+AES256:ECDH+AES128: DH+AES:ECDH+3DES:DH+3DES: RSA+AESGCM: RSA+AES:RSA+3DES: !aNULL:!MD5:!DSS

restarted httpd, and no change in the forward secrecy score. The TLS_ECDHE are not even in the list of cipher suites on the ssllabs report.

CentOS Linux 6.5 Linux 2.6.32-358.0.1.el6.x86_64 on x86_64 Virtualmin version 4.08.gpl GPL httpd Apache HTTP Server Running latest 2.2.15-29.el6.vm.1 Virtualmin

Any ideas?

Thanks,

Bill56

Fri, 07/04/2014 - 11:08
bill56

modified for clarity

Fri, 12/12/2014 - 07:40
PatTzZ

Did you got it working?

Wed, 11/18/2015 - 21:16
nhsitehost

has this been resolved? what do i need to do to fix this so https://www.ssllabs.com does not report this?

Wed, 11/18/2015 - 22:38
bill56

I believe this is what fixed it. In httpd.conf:

SSLEngine On

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC DH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Sat, 01/14/2017 - 13:37
-eclipse-

Hi

Is this possible to be set on a more general level so you don't have to edit each individual virtual servers within the httpd.conf file? UPDATE : Found it in the httpd.conf file, just need to add it before the virtual servers :)

Secondly, if you want an A+ on SSLLABS you need to add the following

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Header always set X-Frame-Options DENY

Header always set X-Content-Type-Options nosniff

Requires Apache >= 2.4

SSLCompression off

SSLUseStapling on

SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

  • Tim
Mon, 07/30/2018 - 10:16
jonnybradley

Thanks bill56 for the fix, i haven't ventured on to the A+ settings from -eclipse- but will do when i have time...

So +1 for having this in the Virtualmin SSL Options panel one day (for me the SSLv2 and SSLv3 checkboxes show still as unchecked with "SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1" in the config file) and as a default for new servers? If it's not already...

jonny

Fri, 08/31/2018 - 09:16
marthasimons
marthasimons's picture

modified ??

Relax essay writing service

Topic locked