Hardening ssl - Qualys analysis


(jack) #1

Hi!
Today i’m playng with https://www.ssllabs.com , a site that ckecl ssl security.
After a Nethserver install it say “B” Rating, showing some warnings:

So after googling I found a site that has some tips.
i have edited /etc/httpd/conf.d/ssl.conf changing:

SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES;

with

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

This result in a “A” rating.

the site also note that this break the compatibility with IE6/winXP and use this instead to avoid the problem:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

But this result in an “A-” ratings.

i’m not good enough in security to undestand if i’m doing a good thing… your advice about it?


(Artem Fedai) #2

For A+ you need apache2.4 and some modifications in virtualhost directive.


(jack) #3

is a bad idea to set it in Nethserver by default?


(Artem Fedai) #4

Grade A is quite good !


(Davide Principi) #5

The httpd/SSLCipherSuite prop has been changed to that value on 6.7 release. The new default value comes from upstream. This entire story is on

http://dev.nethserver.org/issues/3246

To customize it


config setprop httpd SSLCipherSuite
signal-event nethserver-httpd-update

Template /etc/httpd/conf.d/ssl.conf