SSL Certificate Security Part – I
SSL Security is part of PCI Compliance, only installing SSL Certificate won’t secure you from other SSL related vulnerabilities. To check your SSL Certificate and make sure that there is any vulnerabilities that would help you to fix the issue. Please check ssllabs.com to know more about SSL Certificate and ratings given to them.
Couple of days ago, I was reintroduce to ssllabs.com from Qualys. You can check your SSL Certificate and if there is any known vulnerability present on your server side encryption or SSL Protocol Supported by your server. There is also cipher suit supported by server.
I have checked many websites which we think are secured and found they are vulnerable. I tried to find the fixes of them and found Apache/Linux fix for Cipher security and following are steps for the same.
Steps to fix Apache/mod_ssl Cipher & SSL Protocol Vulnerability:
This changes you need to do at httpd.conf file :
1) To Disable Old SSv2 in Mod_SSL. Add following in httpd.conf
"SSLProtocol all -SSLv2" without Quotation.
2) To disable cipher with weaker encryption key please do following steps. Add following in httpd.conf:
Steps to fix Apache/OpenSSL Cipher & SSL Protocol Vulnerability:
This changes you need to do at httpd.conf file or ssl.conf file :
1) To Disable Old SSv2 in OpenSSL. Add following line in httpd.conf"SSLProtocol all -SSLv2" without Quotation.
2) To disable cipher with weaker encryption key please do following steps. Add following line in httpd.conf:
"SSLCipherSuite HIGH:MEDIUM" Without Quotation.
In next part I will let you know how to fix the issue with Weak Cipher and SSL Certificate with Windows and Other Servers. Please check your SSL Certificate at http://www.ssllabs.com. SSL Cipher and Protocol Security is must for PCI Compliance.
Author: Gaurav Maniar – MCITP – Windows Server Specialist Window Hosting Security,Exchange Messaging System, Server Security Audit, Domain (ADS) Infrastructure