How to get an A+ Rating with 100% score on the SSLLabs Test with Apache

Introduction

This configuration is a bit of a moving target, and will likely change in future as security changes.

This is a fairly simple process. Configure all the steps and you will get an A+ rating with 100% score for Certificate, Protocol Support, Key Exchange & Cipher Strength.

This configuration is known to work on Ubuntu 16.04 LTS, but it should work on other setups providing you have the right software versions. Please note that the configuration of DH / ECDH requires at least Apache 2.4.8+ with OpenSSL 1.0.2+.

This set of instructions also assumes that you have a working SSL configuration with the proper CA signed certificate of 4096 bit RSA.

If you need more information on how to do that. Look at this article.

https://itigloo.com/security/generate-an-openssl-certificate-request-with-sha-256-signature/

** Please backup your configuration before you make changes. Just in case **

Configure Secure Cipher Suites

Edit /etc/apache2/mods-enabled/ssl.conf

Modify the “CipherSuites” parameter to disable all Cipher Suites that are not 256 bit or above.

SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"

Configure SSL / TLS Protocols

Also in /etc/apache2/mods-enabled/ssl.conf

Ensure that only TLS 1.2 is enabled. All modern web browsers support this, including Internet Explorer 11 on Windows 7+, Safari 7+, Firefox, Google Chrome. On Mobile, Android 4.4+ and IOS 6+

SSLProtocol TLSv1.2

Configure DH / ECDH Parameters

This section is specific to Apache 2.4.8+ with OpenSSL 1.0.2+.

Generate 4096-bit Diffie-Hellman parameters. This could take anywhere from 10 minutes to several hours. It really depends on the speed of the computer it runs on.

openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096

Then add the following configuration to your Apache SSL configuration VirtualHost. By default this would be in /etc/apache2/sites-enabled/default-ssl.conf.

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"

Next, add the configuration parameters for the Elliptic Curve Ciphers. By default, a 256-bit Curve is used, but this isn’t secure enough if you are going for the 100% rating on SSLLabs.com. These options raise the minimum to 384 bits.

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1

Enable OCSP Stapling

OCSP Stapling allows the web server to cache the Certificate Revocation Status of the Certificate. It takes the burden of checking away from the client. For more information check https://en.wikipedia.org/wiki/OCSP_stapling

Edit /etc/apache2/mods-enabled/ssl.conf. Add the below options.

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Enable HTTP Strict Transport Security (HSTS)

Enable the Apache Headers Module

a2enmod headers

Add the following to your HTTPS Virtual Host directive in /etc/apache2/sites-enabled/default-ssl.conf.

# HTTP Strict Transport Security Header.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload"

This tells the client web browser that this site should only ever be accessed via HTTPS. The client web browser then caches that information for the time specified in max-age.

Other SSL  / TLS Settings

Make sure the following other settings are set. These ensure that the Cipher Suites are presented in the best order rather than Apache guessing. Then ensure that compression is disabled.

The following configuration goes in /etc/apache2/mods-enabled/ssl.conf

#Turn of SSL Compression. Mitigates CRIME Information leakage attack
SSLCompression off

#Ensure Ciphers are used in order.
SSLHonorCipherOrder on

Optional: Add Other Security Headers

Add the following additional headers to satisfy a few other issues that usual turn up in Pen Test Reports.

Edit /etc/apache2/sites-enabled/default-ssl.conf

# Set a same origin policy
Header always set X-Frame-Options SAMEORIGIN

# Rewrite any session cookies to make them more secure 
# Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

#Prevent browsers doing MIME Type sniffing.
Header always set X-Content-Type-Options nosniff

 

That is it. If you restart Apache and run an https://www.ssllabs.com Test, you should get full marks.

Advertisements

Raspberry Pi Line Status Display Instructions Updated

I have just updated my instructions on how to create a TfL Underground Line Status Display with more information. I have also included links to additional TfL Data sources.

https://itigloo.com/raspberry-pi/london-underground-tube-service-display/

 

Linux Shell Scripting Cookbook available Free – Today Only

For the next 18 hours Packtpub Linux Shell Scripting eBook is available for free.

Get it here.

https://www.packtpub.com/packt/offers/free-learning

Free IT eBooks from Packpub until 5th March

Packtpub have a great offer on at the moment. They are giving away a different eBook everyday until the 5th March.

Today’s book is on Selenium 2

https://www.packtpub.com/packt/offers/free-learning

Enjoy

Configuring HSTS & OCSP Stapling

There are a couple of new technologies that are becoming more widely used that you may what to think about using. I have written a couple of pages explaining what they are and how to use them. They are definitely worth a look if you are a web server administrator.

How to Configure OCSP Stapling on Apache HTTP Server

How to Configure HTTP Strict Transport Security on Apache & NGINX

David Cameron wants new laws to restrict terrorists communication

David Cameron the UK Prime Minister has stated in an event in the East Midlands that new online data laws are required to remove the safe places that Terrorists communicate with each other. He also stated that he would push this if re-elected as Prime Minister.

http://www.bbc.co.uk/news/uk-politics-30778424

One particular statement is of concern to me. David Cameron said, “There should be no means of communication which we cannot read”. This statement worries me. It implies that the use of encryption will be restricted in some way. Maybe by restricting the levels of encryption is use or by inserting backdoors into software or hardware. Can you imagine the notion of a backdoor? This means intentionally adding an alternative way of gaining access. What if the bad guys found this too.

On one hand I am patriotic and want to make sure that the police and security services can do their job. Mainly to protect me and my family from terrorists and other criminals. On the other hand I am a security professional and understand the continual and ongoing threat from criminals that try to attack and abscond with our data, or worse in some cases.

Because of this I want to make sure that my data and the services that I use are protected in the best ways possible. This is an ongoing struggle, and something that needs to evolve as time goes on.

An example of this is the recent issues with OpenSSL (Poodle & Heartbleed). I have had to make various changes to the security settings I use of the past year. If my Government had mandated that I need to use a maximum of SSLv3, then suddenly I would have a problem. I could not go to TLSv1.0 because I would be breaking the law, and I could not stay with SSLv3 because my data would be at risk. The nature of politics does not allow for law changes over night. Suddenly I am between a rock and a hard place. What do you do?

I would like to draw your attention to Moore’s Law, that stated “Computing performance doubles every 18 months”. Computing is by its very nature dynamic. Put simply… Things can change very quickly, in sometimes unpredictable ways. I truly hope that the people in power that make these kinds of laws recognise that.

The last thing I would like to draw your attention too, is Edward Snowden. He recognised that the American government had too much power and that this needed reigning in, so they are held accountable for their actions . We need the same in the UK. We need to make sure that our government is held responsible for their actions and that they are not allowed to do anything stupid.

In closing, terrorists and criminals are clever. What is to stop them from using services outside the UK without restricting our right to a free and open Internet?

*Update 14th January 2015 @ 07:55

Since I wrote this The European Union Agency for Network and Information Security (ENISA) has published a report stating at more security and encryption and privacy is needed, not less.

http://www.theregister.co.uk/2015/01/14/ensia_encryptions_great_but_privacy_still_sucks/

http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design

 

How to secure SSH

I found this article today that goes into a lot of depth on how to properly secure SSH. It is definitely worth a read.

https://stribika.github.io/2015/01/04/secure-secure-shell.html

What is good about this article is that it covers all the various Cipher Suites available to SSH and which are secure and how to disable those that are of lower quality.

One thing to note. This article was written on 4th January 2015. This is great for now, but be aware that in 1 year, 6 months or even next week, things could have changed.

 

Plusberry Pi – Ultimate Raspberry Pi Case

The Plusberry Pi is a special case for the Raspberry Pi. The most important thing about it is that it has enough space of a dedicated 2.5″ HDD.

It looks like a fabulous case. Just what I am looking for.

The only issue is that it is a Indiegogo project looking for funding.

Plusberry Pi Media Case on Indiegogo

As of writing it has 91% of the funding required ($35,350 out of $39,000). So not far to go, but only 4 days to go.

If you have any interest in the Raspberry Pi then this project would make a great investment, especially as it is the only case I have found that is designed specifically to house a 2.5″ HDD. It would be particularly useful for a home media server.

Take a look and see what you think.

Netflix Logo

Ubuntu 14.04 LTS to get Native Netflix support

In a recent discussion with Ubuntu developers, it seems that Netflix will soon work natively on Ubuntu 14.04 LTS in the Google Chrome browser.

This has become possible because of the development of the HTML5 player.

The only prerequisite is for the NSS security package to be upgraded to at least version 3.17. This is planned to occur in the next couple of weeks as a standard security enhancement.

At the moment it is possible to watch Netflix on Linux, but only if you adjust the User-Agent string in Google Chrome.

Update 23rd September 2014

I can now confirm that the NSS package has been updated to version 3.17 and that Netflix is now working in Google Chrome.

References

https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2014-September/015050.html

http://www.omgubuntu.co.uk/2014/09/netflix-linux-html5-nss-change-request

https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2014-September/015051.html

 

OpenSSL SHA256 Certificate Migration

Over the last week Google announced that they were going to stop supporting the SHA-1 algorithm for signing certificates.

Google’s SHA-1 deprecation announcement

Because of this I have created a couple of posts explaining how to migrate to SHA-256 based signatures.

Generate an OpenSSL Certificate Request with SHA-256 Signature

Change OpenSSL Default Signature algorithm

Since I wrote those pages other security companies have started to post their own migration strategies.

Qualys SHA1 Migration: What you need to know

In addition, all the major Certificate Authorities (CA) have started providing customers information specific to their services. So if you have certificates already, then contact your CA for further migration help.