-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStep3a-Lock.html
120 lines (120 loc) · 11.2 KB
/
Step3a-Lock.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
<!doctype html>
<html lang="en" prefix="og: http://ogp.me/ns#">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="description" content="Securing Apache - Fedora/RedHat Step3a - Perfect Forward Secrecy (PFS)/Cipher Suites" />
<meta name="keywords" content="Apache, Security, SSL, TLS, Certificate, Fedora, RedHat, SUSE, CentOS, Elliptical Curves, RSA, Encryption, Perfect Forward Secrecy, PFS, Cipher Suites, BEAST, Protocols" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<meta name="author" content="Kevin Dziekonski" />
<meta name="generator" content="The Dead's Script O' Rama" />
<meta name="application-name" content="Zombie Security" />
<meta http-equiv="Content-Type" content="text/html" />
<meta name="robots" content="index, follow" />
<meta name="googlebot" content="index, follow" />
<meta name="copyright" content="Zombie materials are subject to copyrights" />
<meta property="og:title" content="Free Best Practice Security Guides" />
<meta property="og:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:secure_url" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:type" content="image/jpg" />
<meta property="og:image:alt" content="Zombie Security – Free Best Practice Security Guides" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://zombiesecured.com" />
<meta property="og:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="og:site_name" content="Zombie Secured" />
<meta property="twitter:card" content="summary" />
<meta property="twitter:site" content="https://zombiesecured.com " />
<meta property="twitter:site.id" content="@zombiesecured" />
<meta property="twitter:creator" content="@kevindziekonski" />
<meta property="twitter:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="twitter:title" content="Zombiesecured Free Educational Best Practices Security Guides" />
<meta property="twitter:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="twitter:image.alt" content="Free security education and best practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="msapplication-TileColor" content="#D83434" />
<meta name="msapplication-TileImage" content="https://zombiesecured.com/images/favicon.jpg" />
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-touch-fullscreen" content="yes">
<link rel="apple-touch-icon" href="https://zombiesecured.com/images/favicon.png" />
<link rel="canonical" href="https://zombiesecured.com/" />
<title>Step 3a - Perfect Forward Secrecy (PFS) - Cipher Suites (Fedora/Redhat)</title>
</head>
<body>
<div class="container-fluid">
<!-- Add the common header to display the main menu. -->
<div id="header"></div>
<div class="row">
<!-- This section is the side menu section -->
<div class="col-md-2">
<div id="apacheFedoraSideMenu"></div>
</div>
<!-- This section is the content section -->
<div class="col-md-10">
<div class="card border-dark mb-3 mt-3">
<div class="card-header d-flex align-items-center justify-content-center">
<!-- This is the content header start. Add text here for the content banner text. -->
<h4>Securing Apache - Fedora/CentOS/SUSE/RedHat</h4>
</div>
<div class="card-body">
<!-- This section is the content section. Add the bulk HTML here -->
<h3>Step 3a - Perfect Forward Secrecy (PFS) - Cipher Suites - <span class="red">Mandatory Step!!!</span></h3>
<p class="card-text">You can alter the <a href="https://istlsfastyet.com/" title="Cipher Suite changes" target="_blank">cipher suite in order to achieve the preference and order of the ciphers</a> you wish to use. If you desire to make clients follow the preferred order, then SSLHonorCipherOrder will need to be turned to on. When the SSLHonorCipherOrder is on, clients will connect by the following cipher list. <a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/" title="SSL/TLS config" target="_blank">Mozilla has a great config generator for this!</a></p>
<p class="card-text">You can remove the use of 128 bit ciphers to only use 256 bit, or remove 256 bit ciphers to only use 128 bit ciphers - add at the end of SSLCipherSuite :!AES128 or :!AES256 to remove the respective AES ciphers. You can remove 256 bit ciphers without much issue. Removing 128 bit and only using 256 bit ciphers locks you in to TLSv1.2 and drops support for older clients. Removing the 128 bit ciphers does get a 100% score on the tests. The config presented here does not drop support for either to ensure maximum audience for our site while remaining secure.</p>
<h4 class="green">Example:</h4>
<p class="card-text"><strong>SSLCipherSuite</strong> "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:........" </p>
<p class="card-text">The first two entries are Elliptic Curve using GCM (no preference order): EECDH+ECDSA+AESGCM, then RSA using GCM (no preference order): EECDH+aRSA+AESGCM. A client will try to negotiate in order of our preference we list here. The preference is for Elliptic Curve using GCM, followed by RSA using GCM, Elliptic Curve using SHA384 (EECDH+ECDSA+SHA384), Elliptic Curve using SHA256 (EECDH+ECDSA+SHA256), RSA using SHA384 (EECDH+aRSA+SHA384), RSA using SHA256 (EECDH+aRSA+SHA256), and so on down the list of ciphers. <span class="green">BTW the Cipher list has options:</span> + can be used for generalizing the specification of cipher suites, as in the example for the first cipher (EECDH+ECDSA+AESGCM), we do not specify 128 or 256 bit nor sha 256 or 384. You can use the - sign for specifying the exact cipher or spec you want to use ie (ECDHE-RSA-AES256-GCM-SHA384)</p>
<p class="card-text"> The options are whatever you desire as long as your<a href="https://cc.dcsec.uni-hannover.de/" title="What does my broswer support" target="_blank"> intended audience can use those ciphers</a> to connect to your application or site. You can add Camellia, CHACHA20 (ECDHE+ECDSA+CHACHA20+POLY1305: ECDHE+RSA+CHACHA20+POLY1305:), or anything else in the cipher list, but the procedure uses our preference which works with most clients while remaining secure.
We only use TLSv1.2 & TLSv1.3 in the procedure (Fully mitigate BEAST). Think about what other ciphers you desire to add if you remove these ciphers. Unless you are an admin and understand the implications, I would not recommend it.</p>
<h4>Global use of the Cipher Suites for all sites using Apache <span class="green">(Preferred Method)</span></h4>
<pre>nano /etc/httpd/conf.d/ssl.conf</pre>
<h4>Make the following changes to the ssl.conf </h4>
<pre>SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED:!CAMELLIA"
SSLHonorCipherOrder on
SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2</pre>
<h4> Close and exit the file </h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Restart Apache</h4>
<pre>systemctl restart httpd</pre>
<h4>Local use in the Apache Website config file <span class="orange">(Alternative)</span></h4>
<p class="card-text"><span class="blue">Add the sections in blue to the file</span></p>
<pre>nano /etc/httpd/conf.d/EXAMPLE_com_ssl.conf</pre>
<p class="card-text"><IfModule mod_ssl.c><br>
<VirtualHost *:443><br>
ServerAdmin host@EXAMPLE.com<br>
ServerName EXAMPLE.com<br>
ServerAlias www.EXAMPLE.com<br>
DocumentRoot /var/www/html/EXAMPLE<br>
DirectoryIndex index.html<br>
LogLevel info ssl:warn<br>
ErrorLog ${APACHE_LOG_DIR}/error.log<br>
CustomLog ${APACHE_LOG_DIR}/access.log combined</p>
<pre>SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!MEDIUM:!RC4:aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED:!CAMELLIA"
SSLHonorCipherOrder on
SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2</pre>
<p class="card-text"> </VirtualHost> <br>
</IfModule> </p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Restart Apache</h4>
<pre>systemctl restart httpd</pre>
</div>
<!-- This is the end of the bulk content section. -->
<div class="card-footer text-secondary">
<!-- This is the card footer where the next/previous links and arrows go. The links will need to be updated for every page. -->
<a class="text-secondary float-left" href="Step3-Lock.html"><i class="fa fa-arrow-left fa-2x"></i> PREVIOUS </a> <a class="text-secondary float-right" href="Step3b-Lock.html"> NEXT <i class="fa fa-arrow-right fa-2x"></i></a> </div>
</div>
</div>
</div>
</div>
<!-- Add the common footer. -->
<div id="footer"></div>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
<script src="/js/zombie.js"></script>
</body>
</html>