Secure an #nginx or #apache website using #ssllabs.com

By | October 14, 2018

From time to time is good to perform a security audit to your Internet exposed services. Things change fast online so you have to keep up with the security reports to be able to maintain secure services online.

My favorite tool for SSL related security audit is the great resource at www.ssllabs.com.

The audit performed by the ssllabs gives you great insights about what you have to do to secure your web site. I this post I will insist only on keeping up with the SSL Cipher Suites and eliminate the weak or unsecure ones.

By eliminating the weak or unsecure cipher suites from supported list will mitigate against one of the easiest attack vector: the force downgrading of the SSL connection to an unsecure cipher.

When using ssllabs.com to secure Apache or Nginx that use OpenSSL naming convention for ciphers, the following page is a huge help, because ssllabs uses the standard IANA names for ciphers:

Security/Server Side TLS – MozillaWiki

The page has a complete list of the cipher terms used by different sources. For Apache or Nginx look in the OpenSSL column for the translation of the IANA name.

In my latest security scan I discovered that some extra ciphers (TLS_RSA class) were declared by security experts and included in the ssllabs report as weak or unsecure.

Bellow is the conversion from IANA -> OpenSSL naming:

TLS_RSA_WITH_AES_256_GCM_SHA384 =  AES256-GCM-SHA384 
TLS_RSA_WITH_AES_128_GCM_SHA256 =  AES128-GCM-SHA256 
TLS_RSA_WITH_AES_256_CBC_SHA256 =  AES256-SHA256 
TLS_RSA_WITH_AES_128_CBC_SHA256  =  AES128-SHA256 
TLS_RSA_WITH_AES_256_CBC_SHA  =  AES256-SHA 
TLS_RSA_WITH_AES_128_CBC_SHA  =  AES128-SHA 
TLS_RSA_WITH_AES_256_CCM_8 =  AES256-CCM8 
TLS_RSA_WITH_AES_256_CCM =  AES256-CCM 
TLS_RSA_WITH_AES_128_CCM_8 = AES128-CCM8 
TLS_RSA_WITH_AES_128_CCM =  AES128-CCM
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 =  CAMELLIA256-SHA256 
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 =  CAMELLIA128-SHA256 
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA  =  CAMELLIA256-SHA 
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA =  CAMELLIA128-SHA 

According to the above naming conversion:

For Apache append the above to “SSLChiperSuite” in your SSL section of the web server configuration.
The result is the following ciphers list that gets me an A+ rating on ssllabs.com:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!AES256-CCM8:!AES256-CCM:!AES128-CCM8:!AES128-CCM:!CAMELLIA256-SHA256:!CAMELLIA128-SHA256:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!ECDHE-RSA-CAMELLIA256-SHA384:!DHE-RSA-CAMELLIA256-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!DHE-RSA-CAMELLIA128-SHA256:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA

For Nginx append the above to “ssl_ciphers”in your SSL section of the web server configuration.
The result is the following ciphers list that gets me an A+ rating on ssllabs.com:

ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!AES256-CCM8:!AES256-CCM:!AES128-CCM8:!AES128-CCM:!CAMELLIA256-SHA256:!CAMELLIA128-SHA256:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!ECDHE-RSA-CAMELLIA256-SHA384:!DHE-RSA-CAMELLIA256-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!DHE-RSA-CAMELLIA128-SHA256:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA';

As a good practice you should perform a ssllabs.com security scan at least every month or when you hear some security report that talks about SSL vulnerabilities and improve your SSL cipher list.

If you want to be even more strict and up to date to the latest security settings you can use the mozilla tool CipherScan.
By using the ./analyze.py blog.voina.org command you get a list of recommendations for ciphers to add or remove.

Contribute to this site maintenance !

This is a self hosted site, on own hardware and Internet connection. The old, down to earth way 🙂. If you think that you found something useful here please contribute. Choose the form below (default 1 EUR) or donate using Bitcoin (default 0.0001 BTC) using the QR code. Thank you !

€1.00

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.