Strengthening SSL Services on Your Web Server (Apache/ Linux)

This is a very short tutorial concerned with one aspect of cyber-security - the strength of the ssl service on your web server. The background is that ssl services on your web site are used to ensure that no-one can hack data which is being transmitted to and from your web site. There have been well publicized attacks on vulnerable SSL services such as the Heartbleed bug in OpenSSL and the Poodle bug which exploited SSL 3.0 vulnerabilities. (This area is a moving target so you need to to build SSL testing into your ISO 27001 plan-do-check-act (PDCA) cycle.)

When ssl is installled on your web site using a certificate from a recognised provider, you will see that your website can be accessed from https://yourdomain.com. This means that data is transmitted back and forward in encrypted format. In contrast, http://yourdomain.com or weak encryption exposes transmitted data in clear text which means that even a kiddy hacker can access your password data etc using readily available tools such as Wireshark.

For the rest of this tutorial, I assume that you will be using Apache as your web server on Linux and that you have access to your web server through a terminal emulator such as putty. For simplicity, I am also going to assume that your ISP has provided your SSL certificate and you have the capability to re-configure some aspects of it.

Simply go to https://www.ssllabs.com/ssltest/ and enter your domain name beside the Hostname box and select the "Do not show the results on the boards"checkbox and click on the submit button. (Please note that you should not test any domains without prior permission and you should never show results on the boards.)

After the tests have been run, you will be assigned a score fro F to A+. You will be given a detailed test results which hopefully make it obvious to you why you have been given your assigned score.

The usual reasons for failing are because you are using out of date components such as ciphers or protocols. I will focus on ciphers soon but first a quick word about cryptographic protocols.

Cryptographic protocols provide communications security over a computer network. ... The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The two main protocols are TLS and SSL. The latter is prohibited from use and in turn, TLS is evolving and so as I write this, the latest version is 1.3, albeit in draft format. In practical terms, as at Jan 2018, you should only have TLS v 1.2. enabled. There will be probably be a move to TLV v 1.3. during 2018. The Qualys test will list what cryptographic protocols you have applied and currently, if you are using below TLS v 1.2., you will receive a poor score.

One last thing to say about cryptographic protocols, when you buy a web package and SSL certificate from a mainstream ISP such as GoDaddy, it will be TLS v 1.2. which is good but further down the line, you may find it difficult to upgrade to say TLS v 1.3. Personally, I install my own SSL certificates and I am therefore in control of my own destiny, so to speak.

One of the important areas which is tested in the Qualys SSL test and the focus of this section is Cipher suites which determine the encryption strength of your transmitted data. Here is a example output from a Qualys SSL test on one of my domains.

Cipher Suites# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS128

You may spend a lot of time re-configuring your Apache configuration to remove red lines (fails) from your Qualys test report but I recommend the following approach to get the best Cipher Suite settings.

1) Visit the Apache web site and elicit their recommendations for a Cipher Suite to use. At time of writing, I followed this link - https://httpd.apache.org/docs/trunk/ssl/ssl_howto....

2) Add the recommended setting to your Apache configuration file and restart Apache. This was their recommended setting which I used.

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Notes - One of the challenges is to find which file you need to change your SSLCipherSuite directive, To do this, log onto Putty and log in to the etc directory (sudo cd /etc) Look for an apache directory such as apache2 or http. Next, do a search on the apache directory as follows : grep -r "SSLCipherSuite" /etc/apache2 - This will give you an output similar to this :

/etc/apache2/mods-available/ssl.conf:#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!DES/etc/apache2/mods-available/ssl.conf:#SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!DES /etc/apache2/mods-available/ssl.conf:#SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

The important thing to note is the file /etc/apache2/mods-available/ssl.conf or whatever is yours. Open the file using an editor such as nano and go to the section # SSL Cipher Suite:. Next replace the existing entry in the directive SSLCipherSuite with the one above from the Apache website. Remember comment out older SSLCipherSuite directives and restart Apache - in my case, I did this by typing sudo /etc/init.d/apache2 restart

Note that sometimes you may need to remove specific ciphers which are giving you a low Qualys SSL test score (say because new vulnerabilites have been discovered) even though you have used the recommended Apache settings. An example is if the following line appears in red (fail) on your Qualys report TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) The first step is to find which code you need to change in your Apache SSLCipherSuite directive. To find the code, go to https://www.openssl.org/docs/man1.0.2/apps/ciphers... - this shows the code as follows: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384

Take ECDHE-RSA-AES256-GCM-SHA384 and remove it from the entry you added as the Apache Apache SSLCipherSuite directive and then add it to the end by preceding it with :!

Again, restart Apache and retest

I have that you have learned something about SSL testing. There is a lot more to learn about this but hopefully, I have pointed you in the right direction. In my next tutorials, I will be covering other areas of Cyber Security so stay tuned.