Tech Blog

AppRoad-Warriers of one of my customers who use Phones and Tabletts to access an SSL-secured Web-Shop built with Magento complained about diverse SSL-Errors.
So I went into investigation and decide to set up the SSL Cipher Suites, PFS Security and TLS from scratch...

To check my efforts and for quality assurance, I used SSL Checker from SSLLabs and checked against Mozilla Config Generatot

Common Problems found and fixed:

  • Upgrade Apache2 and Openssl on the webserver.
    • Root-CA and Intermediate Cert missingDownload your intermediate Certificates and Root-cert from your Trustcenter and install it:
SSLEngine On
SSLCertificateFile /etc/apache2/apache2.pem
SSLCACertificateFile /etc/apache2/root.ca
SSLCertificateKeyFile /etc/apache2/apache2.key
SSLCertificateChainFile /etc/apache2/intermediate.cert
  • Weak Diffie-Hellman Key for TLS regenerate new DH-Keys with and append the generated Text to your certificate 
    openssl dhparam -out /etc/ssl/dhparams.pem 2048

    append it to your Cert:

    cat /etc/ssl/dhparams.pem >> apache2.pem
    • and - of course - check and reload apache config:
    apache2ctl configtest ; apache2ctl graceful

     

    After applying all of these Steps, my customers Site reached Grade A on Qualis SSL Checker. The config snippet of the host config:

    SSLEngine On
    SSLCertificateFile /etc/apache2/apache2.pem
    SSLCACertificateFile /etc/apache2/root.ca
    SSLCertificateKeyFile /etc/apache2/apache2.key
    SSLCertificateChainFile /etc/apache2/intermediate.cert
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    # Only for Apache2 newer than 2.4.7
    # SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparams.pem"
    SSLHonorCipherOrder     on