Tighten SSL security: SSL certificate chain and SSLCipherSuite

Update SSLCipherSuite

Issue

Clicking the certificate info in chrome, you'll see a message:

"Your connection is encrypted using an obsolete cipher suite."

Solution

vi /etc/httpd/conf/extra/httpd-ssl.conf

Replace SSLCipherSuite with the following:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"

Restart Apache.

service httpd restart

Optional: Update ssl_cipher in directadmin.conf

vi /usr/local/directadmin/conf/directadmin.conf

Replace or add:
ssl_cipher=HIGH:!aNULL:!MD5

With:
ssl_cipher=EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS

Then when you use custombuild, it will use the above settings in /etc/httpd/conf/extra/httpd-ssl.conf

Update SSL certificate chain resolver

Issue

Checking your certificate at ssllabs.com you'll see the following

"Chain issues Incomplete"

Solution

In directadmin, under your account SSL Certificates settings. Add the following under "Paste a pre-generated certificate and key":

Replace SSLCipherSuite with the following:

-----BEGIN RSA PRIVATE KEY-----
(YOUR RSA KEY;  should be there already)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(YOUR DOMAIN CERTIFICATE; should be there already)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(SSL ISSUER INTERMEDIATE CERTIFICATE; will be included in the same email your domain certificate came with)
-----END CERTIFICATE-----
Tags: Server admin SSL DirectAdmin