SSL and Google Warnings

Hi everyone,

As you may be aware, Google is now giving warnings on SSL sites with outdated SSL security settings. This relates to SHA1 certificates and signatures. I decided to spend quite some time searching, reading and testing in an attempt to future proof my SSL security. I thought I would share what I have learned for other users of Virtualmin using SSL on websites.

As far as web servers go you need one that supports TLS versions 1.1 and 1.2. You also need to disable SSLv2, SSLv3 and TLS 1.1. Apache 2.2 does not use TLS 1.1 and 1.2, you need Apache 2.4

As a CentOS user I had 2 choices - upgrade from CentOS 6 to 7 (which includes Apache 2.4 as default) or compile and make Apache 2.4. There is a httpd24 repo but it did not work for me. I opted to upgrade to CentOS 7.

Certificates should be encrypted with SHA256 as a minimum. Some are recommending Eliptical Curve DSA (ECDSA) for certificate signing requests (CSR). Due to their complexity the keys are very small eg 256 but with the advantage of loading your web pages faster.

Many certificate authorities (CA) use SHA 1 as the signature algorithm but this does not affect SSL security from what I have read. Google is penalising SHA 1 CA signature algorithms so all certificate authorities need to comply by 2016.

The other problem is the cipher suite you are using. This is a bit of a catch 22 scenario as using ciphers for clients with older browsers results in being penalised by Google. RC4 although fairly new and common, is now considered a big NO and will fail Google’s new SSL standard and state you are using obsolete cryptography.

As a starting point I would recommend using the SSL server test at Qualys SSL Labs. They provide a detailed list of your SSL security and a grading. After addressing the issues highlighted my SSL grading is now A+ so all the reading and searching I did was very worthwhile.

As a starting point for ciphers I would recommend looking at Netscape’s cipher suite options and choose the high security for modern browsers. You can find them here.

Obviously you need to see what cipher suites your operating system provides and also what ciphers are available for TLS 1.1 and 1.2. This link will help you in identifying your ciphers.

You can also set the cipher suite order so offering the highest protection first. In CentOS using Apache 2.4 the two files that control SSL and cipher suites are /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/ssl.conf

Mozilla offer an on-line SSL generator for web servers here

Regards,

Philip