首頁 美術繪圖 | 美術設計 | 熱門標籤 | 首選 | 首頁宣傳 | 近期作品 論壇: 發表 | 美術工作 | 美術比賽 | 展覽活動 | 美術相關 | 一般討論 | 美術同好 CG 討論 :: Photoshop | Painter | 3D 行動 | AMP

【 立即註冊 】 : 更改個人資料 : : 登入

會員名稱: 登入密碼: 保持登入

Apache 2.4 SSLLabs Test grade from "B" to "A/A+ (A plus)"

發表新主題 回覆主題 討論區 Windows, Linux, Perl, PHP, C/C++, Driver, Web 理論、應用、硬體、軟體

| 1頁, 共1
人氣點閱:10470 發表人
Apache 2.4 SSLLabs Test grade from "B" to "A/A+ (A plus)" 2015-01-28 17:02
分類: ✔️SSL ✔️TLS ✔️apache
個人: ✔️SSL ✔️TLS ✔️apache
/ / /

Apache 2.4 SSLLabs Test grade from "B" to "A/A+"



@ https://www.ssllabs.com/ssltest/


1. Chain Issues: Incomplete Chain



This means that your SSL/TLS certificate issuer (e.g. COMODO SSL) might not be ROOT CA,
so, there might be chains/nodes between your site and ROOT CA.
Modem browser will download them automatically,
yet SSLLabs test will highlight it out to warn you about this.

Solution: Try to Add CA Certificate File(SSLCACertificateFile) in ssl.conf will resolve this.

代碼:


#
# Assume you put all *CA*.crt file in /tmp/
#
$ ls -al /tmp/comodossl/*CA*.crt

-rw-rw-r-- 1 15:59 /tmp/comodossl/AddTrustExternalCARoot.crt
-rw-rw-r-- 1 15:59 /tmp/comodossl/COMODORSAAddTrustCA.crt
-rw-rw-r-- 1 15:59 /tmp/comodossl/COMODORSADomainValidationSecureServerCA.crt

$ cd /etc/apache2/ssl

$ cat /tmp/comodossl/*.crt > chain.ca.crt

$ vim /etc/apache2/sites-available/yoursite-ssl.conf

##### Add the following lines to make your chain complete
SSLCACertificateFile    /etc/apache2/ssl/chain.ca.crt


$ service apache2 restart


2. Chain Issues: Contains Anchor



This is OK, just a reminding and 100% harmless, no more grade-capped-to-B


3. This server accepts the RC4 cipher, which is weak. Grade capped to B.


代碼:

$ vim /etc/apache2/mods-available/ssl.conf

### Revise/Add the following lines

SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

$ service apache2 restart


4. Clients that do not support Forward Secrecy (FS) Grade capped to B.



代碼:

$ vim /etc/apache2/mods-available/ssl.conf

### Revise/Add the following lines

SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

$ service apache2 restart



5. Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.



代碼:

$ vim /etc/apache2/mods-available/ssl.conf

### Revise/Add the following lines

SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

$ service apache2 restart



6. This server uses SSL 3, which is obsolete and insecure. Grade capped to B.




Just disable SSL2 & SSL3 since all modem browsers support TLS 1.1 & TLS 1.2;
This could prevent POODLE-bite as well.

代碼:

$ vim /etc/apache2/mods-available/ssl.conf

### Revise/Add the following lines
SSLProtocol All -SSLv2 -SSLv3


$ service apache2 restart



Ref:
https://community.qualys.com/thread/11234
https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
________________

美術插畫設計案子報價系統 v0.1 Beta
爪哇禾雀
Type



繪圖畫廊設計藝廊
攝影相簿留言板
最愛收藏分類標籤
暱稱: Type
註冊: 2002-11-30
發表: 11171
來自: vovo2000.com
V幣: 901757
Re: Apache 2.4 SSLLabs Test grade from "B" to "A/A+ (A plus)" 2017-02-24 12:35
/ / /

SSLLabs Test "A" to "A plus / A+"




Later, you could enable "Strict-Transport-Security"

enable enlist yourself to "HSTS preload",

Then you are likely to step in to A-Plus in SSLLabs test!
@ https://www.ssllabs.com/ssltest/

If you can't achieve all sub domains,
just remove "includeSubdomains; preload"

代碼:

$ a2emod headers

$ vim <your SSL site config path>

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    </IfModule>


$ service apache2 restart

vovo2000com_A+_SSLLab.jpg
vovo2000com_A+_SSLLab.jpg



________________

美術插畫設計案子報價系統 v0.1 Beta
爪哇禾雀
Type



繪圖畫廊設計藝廊
攝影相簿留言板
最愛收藏分類標籤
暱稱: Type
註冊: 2002-11-30
發表: 11171
來自: vovo2000.com
V幣: 901757
/ / /














資訊相關理論、技術、管理、應用、產品等
發表新主題 回覆主題