Dobrev.EU Blog

Things I want to share

Strenghten SSL Configuration - POODLE & Heartbleed Mitigation

| Comments

Introduction

Ever since Edward Snowden revealed some of the secrets of NSA a lot of websites are looking into options to secure their traffic. Using SSL for HTTPS/TLS connections is one of the mostly used techniques. But using the right settings is mostly important. Most modern webservers come with all cipher suites enabled, fine tuning is necessary in this case.

I’m using Ubuntu for my servers. This short howto relies on their command set.

Configuration

Apache 2.x

Enable mod_headers

Enable headers
1
a2enmod headers

Edit your SSL enabled VirtualHost and add following settings

Settings from default-ssl.conf
1
2
3
4
5
6
7
8
9
10
# SSL settings for Heartbleed and POODLE mitigation
# Test at https://www.ssllabs.com/ssltest/analyze.html?d=blog.dobrev.eu
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

# Enable HSTS (HTTP Strict Transport Security)
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

# Disable site embedding using i/frames 
Header always set X-Frame-Options DENY

Dovecot

Edit /etc/dovecot/dovecot.conf and set

/etc/dovecot/dovecot.conf
1
ssl_protocols = !SSLv2 !SSLv3

Comments