June 1, 2016

Apache SSL/TLS Strong Encryption

If you’ve been keeping up with the numerous changes from Google and the Mozilla Foundation regarding SSL/TLS support, vulnerabilities such as Logjam, BEAST, FREAK, and POODLE, the deprecation of SSL 3.0, RC4, and SHA-1, and Firefox 37’s deprecation of TLS 1.0, you may be wondering what cipher suites you should support in Apache to ensure strong encryption. From the Guide to Deploying Diffie-Hellman for TLS, the following configuration will likely provide you with an A rating using Qualys SSL Server Test:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
Remember, you should use an all-SHA-2 certificate chain (the intermediate and the issued certificate should not be signed with SHA-1) when you renew your certs.
Recommended Reading:
SSL/TLS Deployment Best Practices, Ivan Ristic, Qualys SSL Labs
Posted by at No comments:

Custom Crons

Suppose you needed to run a cron job that ran only on the first x-day of the month. It’s easy to create a cron that runs every x-day, but how would you specify the first? The solution is pretty nifty. Simply create a cron that would run a job every x-day, but then have that cron execute a script that evaluates whether it is indeed the first occurrence of that day in a given month. If yes, it will execute your script. If no, it will do nothing.

Example for running a cron the first Wednesday of every month at midnight:
0 0 * * 3 [ “$(date ‘+\%d’)” -le 7 ] && /usr/local/bin/myscript.sh > /dev/null

The cron will indeed run every Wednesday, but the conditional statement will only execute myscript.sh if the current day of the month is less than or equal to seven. Perfect!
Posted by at 1 comment:
Subscribe to: Posts (Atom)