Apache + SSL: default configuration rated "C" by Qualys Labs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hi,

I'm currently experimenting with a public server running CentOS 7. I
have half a dozen production servers all running Slackware Linux, and I
intend to progressively migrate them to CentOS, for a host of reasons
(support cycle, package availability, SELinux, etc.) But before doing
that, I have to figure out a few things that work differently under
CentOS. Apache and SSL behave quite differently under these two
distributions.

So far, Apache is running fine with HTTP and hosts a series of virtual
hosts.

I have installed Certbot and created a Let's Encrypt certificate for the
server.

I have a "dummy" website under /var/www/html/default/html.

I installed mod_ssl and only edited the following directives in
/etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.

--8<------------------------------------------------
...
DocumentRoot "/var/www/html/default/html"
ServerName sd-41893.dedibox.fr:443
...
SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem
SSLCertificateChainFile
/etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem
--8<------------------------------------------------

After restarting Apache, the website shows up correctly.

https://sd-41893.dedibox.fr/

But when I test it using Qualys SSL Labs Server Test, the results are a
disappointment.

https://www.ssllabs.com/ssltest/

The site is rated "C", with the following remarks:

* This server is vulnerable to the POODLE attack. If possible, disable
SSL 3 to mitigate. Grade capped to C."

"This server accepts RC4 cipher, but only with older protocols. Grade
capped to B."

"The server does not support Forward Secrecy with the reference browsers."

"This site works only in browsers with SNI support."

I googled a bit, and to my surprise I only found articles about Apache
and SSL on CentOS that seem - more or less - to use the default ssl.conf
configuration.

On a side note, my Slackware servers have a default usable
/etc/httpd/extra/httpd-ssl.conf file that gets an "A" on Qualys Labs,
and even an "A+" when you add a two-liner.

Any suggestions on improving that?

Cheers,

Niki Kovacs


-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux