I am completely new to SSLCiphers and protocols. Just read about them and I am a little bit lost.
I got a WHM setup, Pound (Load Balancer) to have SSL in front of Varnish cache to Apache.
Installed LetsEncrypt from this Cpanel Guide:
I got a few rookie questions.
I ran a SSL Labs (Got a C) scan and I have problems with:
-This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate
-This server supports weak Diffie-Hellman (DH) key exchange parameters.
-This server accepts RC4 cipher, but only with older protocol versions.
-The server does not support Forward Secrecy with the reference browsers
Meaning that my SSLCiphers need tweaking and I am assuming my server.
My goal is to improve my SSL and I need some advice so I got a few questions:
1)Which SSLCiphers would be the most cross browser compatible and not mess up WHM?
2)If I do make the SSLCiphers change do I have to reissue new SSL Certs?
3)Do I also change LetsEncrypt Ciphers in the config file?
4)Anyone have a WHM Guide that is current, the ones online have differences and I don’t want to mess things up…
well SSL3 is something you can surely kick out of the way.almost all clients do TLS1.0.
RC4 was only helpful that XP has something faster than des while still being “secure” this is no longer valid, and if you need support clients without AES Support then you might rather wanna do 3DES, which is slow but the safest old crypto in SSL/TLS.
for forward secrecy you need some DHE/ECDHE suites where you need DH parameters of at least 2048 (DHE) or 256 (ECDHE) bits.
also the cert is just your private RSA/ECDSA public key (signed by lets encrypt) which is used for authentication (that your website if really your website) and key exchange (in case of ciphers without forward secrecy) in combination with your private key.
Some of the protocols are above my current understanding. I am more of a copy and Ill paste the SSL.
I am running WHM
Apache 2.2.31
OpenSSL 1.0.1e
Centos 6.7
I see on WHM -> Apache Configuration -> Global Configuration ->
SSL/TLS Protocols: All -SSLv2 -SSLv3
SSL Cipher Suite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH
Question # 1
Is there a SSL Cipher Suite that is recommend?
I found the following:
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
-From /https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
when your ssl test did say SSL3 was on, but your config says it isnt.
maybe the balancer is your Problem, at least if it termintaes the SSL connection
(the connection is essentially MitM’ed by the load balancer with another valid cert so it can decrypted and cache the data, which it couldnt do if it wouldnt understand the connection.
My1, which one can you share that I can just copy? I still have 3 issues…
-This server supports weak Diffie-Hellman (DH) key exchange parameters.
-This server accepts RC4 cipher, but only with older protocol versions.
-The server does not support Forward Secrecy with the reference browsers.
well it is an intresting site, but be reminded that you have to be careful with HSTS because if you have for some reason no longer a trusted HTTPS cert you are locked out. Also just copying random stuff from random sites doesnt help him learning stuff, which might be better in general, but it is a nice idea of Mozilla since it lists the oldest incompatible clients from the plain HTTPS crypto/auth perspective (doesnt include “unrelated” features as SNI).
I would go with intermediate and tweak it later based on test data, unless it’s a “closed community” (like a webmailer just for me) which would get a high, since I never use old browsers.
for as little changes as possible replace RC4+RSA with !RC4 this kicks RC4 completely from the server without exceptions.
with the weak DH keys you have to generate new DH keys using openssl.
for the “the browser doesnt do” secrecy with reference browsers we need a bit mroe info. one way would be posting a screen of the supported encryptions and the browser results. That’s a lot easier to understand than just the config list.
SLL Labs Grade A-
-The server does not support Forward Secrecy with the reference browsers
Under Handshake Simulation:
Apple ATS 9 / iOS 9 R Protocol or cipher suite mismatch
You mentioned “for forward secrecy you need some DHE/ECDHE suites where you need DH parameters of at least 2048 (DHE) or 256 (ECDHE) bits”. Do you have something I could add to it?
I tested the default WHM Cipher and add :IRC4 but got a A-.
Since I have Pound in front of Apache, not all the protocols work.
I been testing several Ciphers.
My last one:
Ciphers “EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!eNULL:!LOW:!aNULL:!MD5:!DSS:!RC4”
Oh yeah that one.
Could you post a screen of the supported ciphers and browser results section? Or is it’s not too precious just post your domain name? Guessing with config files isn’t too easy.