Apache 2.4 SSLLabs Test grade from "B" to "A/A+"
@ https://www.ssllabs.com/ssltest/
1. Chain Issues: Incomplete Chain
This means that your SSL/TLS certificate issuer (e.g. COMODO SSL) might not be ROOT CA,
so, there might be chains/nodes between your site and ROOT CA.
Modem browser will download them automatically,
yet SSLLabs test will highlight it out to warn you about this.
Solution: Try to Add CA Certificate File(SSLCACertificateFile) in ssl.conf will resolve this.
代碼:
#
# Assume you put all *CA*.crt file in /tmp/
#
$ ls -al /tmp/comodossl/*CA*.crt
-rw-rw-r-- 1 15:59 /tmp/comodossl/AddTrustExternalCARoot.crt
-rw-rw-r-- 1 15:59 /tmp/comodossl/COMODORSAAddTrustCA.crt
-rw-rw-r-- 1 15:59 /tmp/comodossl/COMODORSADomainValidationSecureServerCA.crt
$ cd /etc/apache2/ssl
$ cat /tmp/comodossl/*.crt > chain.ca.crt
$ vim /etc/apache2/sites-available/yoursite-ssl.conf
##### Add the following lines to make your chain complete
SSLCACertificateFile /etc/apache2/ssl/chain.ca.crt
$ service apache2 restart
2. Chain Issues: Contains Anchor
This is OK, just a reminding and 100% harmless, no more grade-capped-to-B
3. This server accepts the RC4 cipher, which is weak. Grade capped to B.
代碼:
$ vim /etc/apache2/mods-available/ssl.conf
### Revise/Add the following lines
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
$ service apache2 restart
4. Clients that do not support Forward Secrecy (FS) Grade capped to B.
代碼:
$ vim /etc/apache2/mods-available/ssl.conf
### Revise/Add the following lines
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
$ service apache2 restart
5. Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
代碼:
$ vim /etc/apache2/mods-available/ssl.conf
### Revise/Add the following lines
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
$ service apache2 restart
6. This server uses SSL 3, which is obsolete and insecure. Grade capped to B.
Just disable SSL2 & SSL3 since all modem browsers support TLS 1.1 & TLS 1.2;
This could prevent POODLE-bite as well.
代碼:
$ vim /etc/apache2/mods-available/ssl.conf
### Revise/Add the following lines
SSLProtocol All -SSLv2 -SSLv3
$ service apache2 restart
Ref:
https://community.qualys.com/thread/11234
https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
________________
美術插畫設計案子報價系統 v0.1 Beta
爪哇禾雀
|