I have implemented SSL(https) in my website, but when I checked the certificate it is showing poodle vulnerability. So it suggests me that I needed to change SSL 3.0 to TLS. I am using Apache2.4. Please guide me how can I change SSL 3.0 to TLS.
Put the following in the VirtualHostconfiguration section for your site:
SSLProtocol all -SSLv2 -SSLv3
It will disable SSLv2 & SSLv3, while keeping the others (TLS 1.0+) enabled.
Apache
To disable SSLv3 on your Apache server you can configure it using the following, both in the SSL configuration section and in all SSL-enabled virtual hosts explicitly:
SSLProtocol All -SSLv2 -SSLv3
Related
I'm using TLSv1.2 along with OpenSSL version 1.1.1g and Apache version 2.4.35 in my Java application. Here I want to enable only 3 protocols(chacha20-poly1305, AES-GCM, AES-CCM), and I want to block the remaining protocols in TLSv1.2.
I added those 3 protocols in SSLCipherSuite which was present in the ssl.conf file.
SSLProtocol -ALL +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
But it is not working. Please find the below error details,
SSLProtocol: Illegal protocol 'TLSv1.2'
Kindly let me know the changes which I need to make only those 3 protocols work.
We are using apache http server 2.2.29 and jboss 6.4.
We are using Mod proxy for communication between web server and jboss application server.
We are planning to disable TLSv1.0 in mod proxy configuration. After disabling tlsv1.0, the mod_proxy's ssl configuration looks like below.
SSLProxyEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ALL:HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /app/certificates/star_rpmi.cer
SSLCertificateKeyFile /app/certificates/rpmi.key
SSLProxyMachineCertificateFile /app/jboss.keystore
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1
However, once we disable the tlsv1.0, the communication between mod proxy and jboss application server fails.
In apache's debug logs, we have found that the ciphers suits being negotiated is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
This cipher suit have been added in jboss application server configuration file as well. However, the connection is still failing.
What could be the reason behind this?
Really hope for some help in my problem with SSLCipherSuite... So i have this kind of virtualhost config:
<VirtualHost *:443>
DocumentRoot /home/webz/site.com
ServerName site.com
ServerAlias www.site.com
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite "kEDH:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!DHE-RSA-SEED-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DH+3DES:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!RC4"
SSLCompression off
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/site.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/site.com.key
SSLCertificateChainFile /etc/httpd/ssl/DigiCertCA.crt
</VirtualHost>
Everything works fine also security is ok by test. (https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp)
PROBLEM: I am trying to install payment module (REDSYS) for Opencart 2. Redsys support team are not activating payment module because they ask me to add one off SSLCipherSuite below:
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
At the moment all SSLCipherSuite starts with TLS... :( So how to add one of those SSLCipherSuites with SSL_RSA... ??? Hope there is somebody who knows good SSL and will help...
According to your configuration you have such cipher suites already. For example you've included AES256-SHA which is the same as TLS_RSA_WITH_AES_256_CBC_SHA. And the SSL_ prefix instead of the TLS_ prefix is just a convention from the old times where TLS was called SSL (i.e. TLS 1.0 is in effect SSL 3.1).
It is more likely that your restriction to TLS 1.1 and TLS 1.2 causes the problem, because given that they require you to use such old ciphers and cannot even handle ECDHE ciphers might indicate that they have a very old client which is not able to speak TLS 1.1 or TLS 1.2.
Of course it might also be that you've included different ciphers in other (i.e. not shown) parts of your server configuration which take precedence. To get information what kind of ciphers your server really supports check your site with SSLLabs.
EDIT: The analysis by SSLLabs shows quite clearly that TLS_RSA_WITH_AES_256_CBC_SHA (which is the same as SSL_RSA_WITH_AES_256_CBC_SHA or AES256-SHA) is enabled on the server as requested. If my assumption is correct the real problem is that they use an old client which does not speak TLS 1.1 or TLS 1.2 yet. In this case you could change your configuration for the supported protocol versions to allow TLS 1.0 too:
SSLProtocol all -SSLv3
With this configuration TLS 1.0 and better (i.e. TLS 1.1, TLS 1.2) are supported.
I have a site. I bought SSL certificate for that site. I am getting below message when I click on Padlock Icon.
I would like to display "using an modern cipher suite" instead of "using an obsolete cipher suite" in above image.
How can I do that ??
(Actually I am new in SSL. I know little about SSL and cipher suite. I think I failed to express it properly.)
Head over to the Mozilla SSL Configuration Generator, select your version of Apache and OpenSSL and specify your profile as "Intermediate" (for maximum compatibility). Disable HSTS until you know what it is.
Copy the directives SSLProtocol, SSLCipherSuite and SSLHonorCipherOrder and place them in your Apache configuration file.
For example:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
I have Apache 2.4 installed on Windows Server 2008 R2 (not using IIS) I currently have SSL enabled with a 2048 cert.
How can I change Apache to switch from using SSL to using TLS?
Thank you
You can change SSLProtocol directive in your httpd-ssl.conf file as below
SSLProtocol all -SSLv3
More details can be found here
UPDATE
SSLEngine on
SSLProtocol all -SSLv3