首頁 繪圖設計 工作閒聊 比賽活動 美術討論 標籤 圖片
Apache 2.4 SSLLabs Test grade from "B" to "A/A+ (A plus)"
Type(Type) 2015/1/28 17:02

Apache 2.4 SSLLabs Test grade from "B" to "A/A+"

@ https://www.ssllabs.com/ssltest/

1. Chain Issues: Incomplete Chain

This means that your SSL/TLS certificate issuer (e.g. COMODO SSL) might not be ROOT CA,so, there might be chains/nodes between your site and ROOT CA. Modem browser will download them automatically,yet SSLLabs test will highlight it out to warn you about this.Solution: Try to Add CA Certificate File(SSLCACertificateFile) in ssl.conf will resolve this.代碼:
## Assume you put all *CA*.crt file in /tmp/#$ ls -al /tmp/comodossl/*CA*.crt-rw-rw-r-- 1 15:59 /tmp/comodossl/AddTrustExternalCARoot.crt-rw-rw-r-- 1 15:59 /tmp/comodossl/COMODORSAAddTrustCA.crt-rw-rw-r-- 1 15:59 /tmp/comodossl/COMODORSADomainValidationSecureServerCA.crt$ cd /etc/apache2/ssl$ cat /tmp/comodossl/*.crt > chain.ca.crt$ vim /etc/apache2/sites-available/yoursite-ssl.conf##### Add the following lines to make your chain completeSSLCACertificateFile    /etc/apache2/ssl/chain.ca.crt$ service apache2 restart

2. Chain Issues: Contains Anchor

This is OK, just a reminding and 100% harmless, no more grade-capped-to-B

3. This server accepts the RC4 cipher, which is weak. Grade capped to B.

代碼:
$ vim /etc/apache2/mods-available/ssl.conf### Revise/Add the following linesSSLHonorCipherOrder onSSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"$ service apache2 restart



4. Clients that do not support Forward Secrecy (FS) Grade capped to B.

代碼:
$ vim /etc/apache2/mods-available/ssl.conf### Revise/Add the following linesSSLHonorCipherOrder onSSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"$ service apache2 restart

5. Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.

代碼:
$ vim /etc/apache2/mods-available/ssl.conf### Revise/Add the following linesSSLHonorCipherOrder onSSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"$ service apache2 restart

6. This server uses SSL 3, which is obsolete and insecure. Grade capped to B.

Just disable SSL2 & SSL3 since all modem browsers support TLS 1.1 & TLS 1.2;This could prevent POODLE-bite as well.
代碼:
$ vim /etc/apache2/mods-available/ssl.conf### Revise/Add the following linesSSLProtocol All -SSLv2 -SSLv3$ service apache2 restart
Ref:https://community.qualys.com/thread/11234https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecyhttps://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

#SSL
#TLS
#apache

#SSL by Type
#TLS by Type
#apache by Type


Type(Type) 2017/2/24 12:35

SSLLabs Test "A" to "A plus / A+"

Later, you could enable "Strict-Transport-Security"enable enlist yourself to "HSTS preload",Then you are likely to step in to A-Plus in SSLLabs test!@ https://www.ssllabs.com/ssltest/If you can't achieve all sub domains,just remove "includeSubdomains; preload"
代碼:
$ a2emod headers $ vim <your SSL site config path>     <IfModule mod_headers.c>         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"     </IfModule> $ service apache2 restart


(4,402 views)
[更多討論] 討論區 Windows, Linux, Perl, PHP, C/C++, Driver, Web 理論、應用、硬體、軟體


"Apache 2.4 SSLLabs Test grade from "B" to "A/A+ (A plus)"" 傳統頁面(電腦版)

首頁 繪圖設計 工作閒聊 比賽活動 美術討論 標籤 圖片
傳統桌面版
© Vovo2000.com Mobile Version 小哈手機版 2019