SSL

Tighten SSL security: SSL certificate chain and SSLCipherSuite

Update SSLCipherSuite

Issue

Clicking the certificate info in chrome, you'll see a message:

"Your connection is encrypted using an obsolete cipher suite."

Solution

vi /etc/httpd/conf/extra/httpd-ssl.conf

Replace SSLCipherSuite with the following:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"

Restart Apache.

service httpd restart

Optional: Update ssl_cipher in directadmin.conf

vi /usr/local/directadmin/conf/directadmin.conf

Replace or add:

Tags: Server admin SSL DirectAdmin

Speed up and secure Apache SSL encryption.

By default apache loads a bunch of encryption protocols. Most of which either are insecure and/or slow.

The location of these settings are based on DirectAdmin's Apache 2.4.x, however, you should easily be able to locate them in your apache .conf files.

vi /etc/httpd/conf/extra/httpd-ssl.conf

Set Apache to only use the fastest and best encryption algorithms.

Now comment out the default SSL settings and add new ones as shown below:

Tags: apache SSL security performance