March 16

Secure… for now

So, just finished up getting SSL working on this new site using Let’s Encrypt and certbot. I had to hack /etc/hosts to point back to the internal IP as I was getting hit with hairpinning but once I got that sorted, certbot worked as expected. I had to make a couple manual configuration changes to the apache virtual host file to get the correct certificate files and added the following to enhance security, really disabling insecure cypher suites. Got the A+ at https://www.ssllabs.com/ssltest/analyze.html?d=andrewkrull.com so I am going to go with good for now on that front. Security is an ongoing thing so I will be taking another look at this in the next couple days.

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
#SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder On
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header set X-Frame-Options DENY
Header set X-Content-Type-Options nosniff




Copyright 2018. All rights reserved.

Posted March 16, 2017 by administrator in category "Security

Leave a Reply

Your email address will not be published. Required fields are marked *

Not a Robot * Time limit is exhausted. Please reload the CAPTCHA.