on  
Apache Lounge
Webmasters & Programmers Home

 


Forum Index Downloads Contact
Search Forum Register Log in
 RSS Feed Apache Lounge



Register.com New Year Banners


Keep Server Online

The Apachelounge is not funded by anyone other than me (Steffen).

If you find the Apache Lounge, the downloads and overall help usefull, please express your satisfaction with a donation.

A donation makes a contribution towards the costs, the time and effort that's going in to running this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well.

Test Your SSL Server Now! SSL Labs

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 14 Oct 2005
Posts: 1193
Location: Hilversum, NL, EU
PostPosted: Tue 13 Jul '10 19:18    Post subject: Test Your SSL Server Now! SSL Labs Reply with quote
Ivan Ristic (mod_security author) has a fantastic tool on his site to test your SSL configuration.

Go to http://www.ssllabs.com , at the bottom enter your domain name for a detailed security assessment of your SSL server.


Steffen
Back to top
View user's profile Visit poster's website
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 2813
Location: Germany, Next to Hamburg
PostPosted: Tue 13 Jul '10 20:12    Post subject: Reply with quote
I made that test. It tells me that I use insecure SSL 2.0. How can I turn that off in httpd.conf? Yepp I'm to lazy for RTFM Wink
Back to top
View user's profile Visit poster's website
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 849
Location: Close enough to Baja to empty the cupboards
PostPosted: Tue 13 Jul '10 20:20    Post subject: Reply with quote
SSLProtocol all -SSLv2

Edit:

Actually, if you are speaking of this one:
SSL 2.0+ Upgrade Support

The only way to remove it is to disable sslv3 as well.
SSLProtocol +TLSv1

Doing that and removing DES cipher during my new OSSL build, I have been able to achieve a overall score of 90.

My first score was a 76, second (DES removed) was 85, now a 90. I wonder what clients are around that are not compatible with this setup. Should I even care becomes the next question.

This test is a Kobayashi Maru as it seems impossible to get a 100 today cause as far as I know TLS/1.2 is nothing more than theory at this time. TLS1.1 will be in OSSL 1.0.1 IIRC, that still leaves the server unable to get a 100.

Edit 2:

Doing this actually changed the PCI Complaint flag from No to Yes

Last edited by glsmith on Wed 14 Jul '10 1:05; edited 1 time in total
Back to top
View user's profile Visit poster's website
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 2813
Location: Germany, Next to Hamburg
PostPosted: Thu 22 Jul '10 19:05    Post subject: Reply with quote
I wonder how you could get such a good result. My first try today with startcom certs is by 61 point.

Since you know the Kobayashi Maru test, you must have seen Star Trek Wink
Back to top
View user's profile Visit poster's website
Steffen
Moderator


Joined: 14 Oct 2005
Posts: 1193
Location: Hilversum, NL, EU
PostPosted: Thu 22 Jul '10 19:16    Post subject: Reply with quote
First I had a very bad score with a self-signed certificate.

I installed a certificate from https://www.startssl.com/ and now A88.

I changed also my strings in my httpd-ssl.conf to:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!aNULL:!LOW

Try that strings, if you have a bad score.

Btw: startssl (startcom) is very cheap for ~39 Euro you have a wildcard/multidomain certicate for 2 years.

Steffen
Back to top
View user's profile Visit poster's website
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 2813
Location: Germany, Next to Hamburg
PostPosted: Thu 22 Jul '10 21:13    Post subject: Reply with quote
Indeed! I forgot this Embarassed

Code:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem



So now it is 79 points

Only the Cipher Strength still laggs with 60 points. I guess I have to compile SSL maybe again, but I don't know if that is so clever. As Gregg mentioned which client will be compatible with such an encryption?

OK adding
Code:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


Than I have 91 points, without recompiling OSSL
Back to top
View user's profile Visit poster's website
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 849
Location: Close enough to Baja to empty the cupboards
PostPosted: Fri 23 Jul '10 0:20    Post subject: Reply with quote
3 words ... I Love StartSSL!
Been using their class 1s for years now, even when IE didn't like them.

Edit:7-23-10

I just stumbled onto this ... vague in a sense but interesting
Overclocking SSL
Back to top
View user's profile Visit poster's website
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 2813
Location: Germany, Next to Hamburg
PostPosted: Sat 24 Jul '10 8:27    Post subject: Reply with quote
I wonder that he prefers 128 bit RC4 to the AES 256 bit. Ok he told that it is 3 times faster. Is there any benchmark?
Bad that some parts are only for apache 2.3
Back to top
View user's profile Visit poster's website
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 849
Location: Close enough to Baja to empty the cupboards
PostPosted: Sat 24 Jul '10 20:24    Post subject: Reply with quote
I'd imagine abs.exe for the benchmark.
Back to top
View user's profile Visit poster's website

Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1