How good is your SSL configuration?

Mine was terrible as it turns out. Well… That’s not the full story, my IIS configuration was terrible, and my apache configuration was sort of passable. But not by any means “good”.

It turns out that there are incredibly useful applications online, such as this one from Qualys, which you can point at an SSL site and it will give you an incredibly detailed breakdown of why (if you are using defaults) it’s probably horribly weak.

IIS

I knew IIS wasn’t going to be as good on defaults as Apache would be, but I didn’t think it would be quite so terrible. It turns out when I tested audiu.net I got an F. I jumped out of my skin, especially as I didn’t think to hide my result from the scoreboards as I didn’t think for a second I wouldn’t get an amazing score. So the rush to fix the site started before anyone (probably no one ever) would see me on this board.

I found the following incredibly useful resource regarding configuring IIS (7.5 – 8) security:

hass.dePowershell scripts to reconfigure registry options to control IIS for best practice security

The script will not only disable the unsafe SSL modes, it will also set up the best practice cipher lists and preferences.

After deciding that I didn’t really care about keeping compatibility with browser users who couldn’t even render HTML5 (which Audiu utilises extensively), I opted for disabling the RC4 cipher and therefore bagging myself an A rating. This would mean users of IE <= 8 could not access the site anymore.

Apache

Compared to the defaults for IIS, this configuration for SSL I had found somewhere on the internet ages ago blagged me a perfectly respectable score of a B. Unfortunately it still had SSLv3 enabled meaning it was vulnerable to the POODLE exploit, but it was an easy enough fix to disable it. This now increased the security of a number of (WordPress) sites on this Linux server including the Audiu blog, and the site you are viewing currently!

Resources

Apache docs on SSL

Quick guide

To simple disable SSLv2 and SSLv3 (the important bits), just add the following after in each virtual host file after the SSLEngine on switch. Refer to the above Apache docs for more information regarding controls of cipher suites.

SSLProtocol all -SSLv2 -SSLv3

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *