Importance of SSL
SSL - Secure Socket Layer is enabled via a series of communications and encryption/decrypting routines that already exit on browser programs and servers. The function of SSL certificates is to provide authentication of the identity of the server and to allow access to the security functionality of the web server itself.
During an SSL transaction, the client browser sends a list of algorithms that it is willing to support to the server. The server chooses one of these algorithms and sends it back to the client browser along with a certificate containing the server’s public key. The certificate serves the purpose of authenticating the server to the client. It then provides the public key that the client can then use to encrypt a pre-master-secret that is ultimately used to help create a symmetric key that is shared by both the client and server to encrypt traffic between themselves. The key item of note here is that the SSL encryption strength is not determined by the certificate, but is a function of the algorithms supported by the browser and server software.
During this SSL “handshake” - the browser and web agree to use the supporting cipher suite that meets the minimum requirements set-up on the application server -- whether it be 40-bit, 128-bit or even 256-bit.
During this SSL “handshake” - the browser and web agree to use the supporting cipher suite that meets the minimum requirements set-up on the application server -- whether it be 40-bit, 128-bit or even 256-bit.
Strengthening SSLCipher
Considering the importance of SSL communications between the browser & web, its very vital to remove the low level bit cipher from Web-Server configuration. We can achieve this by adding in httpd.conf:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLProtocol -ALL +SSLv3 +TLSv1
SSLProtocol -ALL +SSLv3 +TLSv1
Enabling SSLCache for High Performance
By adding SSLSessionCache shm:/etc/httpd/logs/ssl_gcache_data(512000) to httpd.conf file, we can boost performance with SSL Cache which enables SSL-delivered downloads faster and reduce the network requests - if any requests are repeated from any network/client machine.
Tool to check SSL Vulnerabilities
SSLScan - a fast SSL vulnerability scanner for ports,ciphers & their strengths on the existing SSL on any webserver. It provides very good insight of all details of current SSL installed on a website. Its can be downloaded from http://sourceforge.net/projects/sslscan/ or using yum in linux:
# yum list sslscan
The above command can be used to see the available versions in the current repos of that particular Linux flavour Operating system. Once satisfied with the availability, one can install sslscan using:
# yum install sslscan
once the Installation completed, you can test the SSL on any given website using:
# sslscan --no-failed www.example.com
# sslscan --no-failed www.example.com
This will provide a clean report of all accepted ciphers only. For further usage of the SSLScan, one can use:
# man sslscan
Once the above SSLCipher & SSLCache added to httpd.conf file, please make sure you restart the Apache server and then execute:
to confirm the changes.
Good Luck.
No comments:
Post a Comment