1

OS: GNU/Linux Debian 9.2, fully updated.

Under the title Hardening TLS web server Apache settings I mean the following:

  • disabling TLS 1.0, already done with this setting:

    SSLProtocol -all +TLSv1.1 +TLSv1.2

    in the following file:

    /etc/apache2/conf-available/security.conf

  • disabling GZIP compression, already done with the following command:

    a2dismod deflate

    although it asked me if I really want to disable this module, I had to type:

    Yes, do as I say!

    so naturally, I had some serious doubts, but it seems not to cause any issues.

    I originally thought, that setting:

    SSLCompression Off

    would do the trick, but it seems to serve another purpose, anyway going forward...

  • Setting a few useful Headers:

    Header always set X-Content-Type-Options: "nosniff"

Header always set X-Frame-Options: "sameorigin"

Header always set X-XSS-Protection: 1

Header always set Content-Security-Policy: "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'"

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

  • Switching to 256-bit encryption:

    SSLCipherSuite ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:DH+AES256:ECDH+AES256:DH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!DSS:!eNULL:!ADH:!EXP:!LOW:!PSK:!SRP:!RC4

    This is my main question, as I did not know how to do the switch properly, so I simply added 256 everywhere. Surprisingly, it works:) But is the line correct?

I hope I didn't mess up too much.

Tested on SSLLabs and many other sites, but if you want quick info, you might want to use:

https://cryptoreport.websecurity.symantec.com/checker/

The website I am securing is:

https://www.zalohovaniburian.cz/

(It does not yet contain anything more than "Under Construction" image.)

EDIT1:

  • I generated a larger DHParameters file with:

    openssl dhparam -out dhparams.pem 4096

    and insured it is R/W-able only by root.

  • Finally, I included it in the file:

    /etc/apache2/mods-available/ssl.conf

    with the line:

    SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparams.pem"

EDIT2:

I bought a normal SSL certificate, so late today I replaced the free Let's Encrypt, there has been before for a SpaceSSL.

EDIT3:

In addition to the above, I can't find out:

  • What DNS CAA is my certificate using?

  • How to enable OCSP Must-Staple?

Vlastimil Burián
  • 499
  • 6
  • 20
  • https://wiki.mozilla.org/Security/Server_Side_TLS is a good starting point – Håkan Lindqvist Nov 25 '17 at 18:30
  • 2
    `deflate` and SSLCompression have nothing to do with each other. You can use `deflate` completely independently from SSL, it will work the same way for pure HTTP domains. `deflate` enables compression at the HTTP level, which sits over the TLS/SSL level, in which you can have compression too, or not, depending on the `SSLCompression` parameter. – Patrick Mevzek Nov 25 '17 at 20:41

1 Answers1

1

  1. Your domain does not have a CAA record. If you do dig CAA zalohovaniburian.cz you will not get a reply. Compare with dig CAA google.com. If you want to use it you will need to provision it in your zone, like www.zalohovaniburian.cz. CAA 128 issue "spacessl.com" but double check with the CA you are using (SpaceSSL)

  2. As for OCSP you have some information in the guide given by Håkan Lindqvist at https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling ; this article gives detailed howto on how to add OCSP Stapling to Apache: https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx

PS: have a look at https://www.ssllabs.com/ssltest/ for online SSL checking, it has a good interface with links on how to remedy to various problems detected. Your website gets an A+, this is very good!

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43