This should be subtitled “Why keeping the OS up-to-date isn’t enough”. Or; “wake up! aieeee! the hackers are coming! run for your lives!”.
Actually, nothing interesting has happened, I just ran some SSL tests1 on my home mailserver while getting ready to swap the SSL certificates from rapidSSL to Lets Encrypt. This is necessary due to various browsers ceasing to trust rapidSSL-issued certs soon2 so my cert will start showing up as untrusted. I’d rather avoid that so a switch to Lets Encrypt is a no-brainer, especially with the automated renewal process being so smooth.
However, the “F” I was seeing in the test was nothing to do with the certificate issuer, it was simply due to me not keeping the Apache SSL configuration up to date even though I had kept the server OS properly updated3. Actually, I don’t think I’ve touched the SSL configuration since 2014 at all, and I think I just accepted the default install then, so null points for security-awareness 🙁
So, what was in the ssl config? This was the default:
# SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
Oops, according to the “F” report I’ve got a load of insecure cyphers enabled by default – hardly surprising since they were old settings and there has been a load of cypher-cracking since then.
So – how to fix it? Simple, let’s cheat and look at one of my recent Apache VPS installs that I know tests as “A” on the defaults. Like so:
SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on #(line breaks added for clarity) SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH !RC4"
The compromised SSLv3 is disabled and the Cypher suites are restricted to the strongest ones only and in order of strength.
I edited my SSL config to match this and also fixed the certificate chain problem where I didn’t update it properly last time I renewed my cert. Then I re-ran the tests…
Fixed 🙂 It really was that easy to be insecure and also that easy to fix.
I’ll take that as a wake-up call to check SSL settings properly and keep an eye on the security recommendations as they change in future.