Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / SSL Certificates / Testing

Personal tools

SSL Certificates

How you can easily create and manage SSL certificates

Testing

Keeping up to date is very important as the world of cryptography is moving swiftly.

Your first port of call is SSLLabs where they will very kindly poke your site with a stick and tell you of its failing. Which will be legion.

Dan Goodin at Ars Technica is keeping a beady eye on these things and produces very useful cogent reports and how-tos.

Updates

RC4

August 2013

RC4 can be broken, so try to avoid it (SSLLabs will check for you).

Read about the RC4 changes which are something like:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM
                EECDH+aRSA+AESGCM
                EECDH+ECDSA+SHA384
                EECDH+ECDSA+SHA256
                EECDH+aRSA+SHA384
                EECDH+aRSA+SHA256
                EECDH
                EDH+aRSA
                !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

SHA256

September 2014

Google are getting twitchy about the use of SHA1 in certificates. You can read more but the upshot is to specify SHA256 as the digest when signing certificates and certificate requests. This is easily done with -sha256 as an extra flag.

Logjam

May 2015

Thanks to weak "export" crypto (dating from the Clinton administration) we're at risk again. This time with Diffie-Hellman key exchange. In this instance we want to bump up the quality of the parameters we're using and (yet again!) tinker with the safe ciphers. Read more here but in summary:

openssl dhparam -out dhparams.pem 2048

edit ssl.conf:

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          "ECDHE-RSA-AES128-GCM-SHA256
                ECDHE-ECDSA-AES128-GCM-SHA256
                ECDHE-RSA-AES256-GCM-SHA384
                ECDHE-ECDSA-AES256-GCM-SHA384
                DHE-RSA-AES128-GCM-SHA256
                DHE-DSS-AES128-GCM-SHA256
                kEDH+AESGCM
                ECDHE-RSA-AES128-SHA256
                ECDHE-ECDSA-AES128-SHA256
                ECDHE-RSA-AES128-SHA
                ECDHE-ECDSA-AES128-SHA
                ECDHE-RSA-AES256-SHA384
                ECDHE-ECDSA-AES256-SHA384
                ECDHE-RSA-AES256-SHA
                ECDHE-ECDSA-AES256-SHA
                DHE-RSA-AES128-SHA256
                DHE-RSA-AES128-SHA
                DHE-DSS-AES128-SHA256
                DHE-RSA-AES256-SHA256
                DHE-DSS-AES256-SHA
                DHE-RSA-AES256-SHA
                AES128-GCM-SHA256
                AES256-GCM-SHA384
                AES128-SHA256
                AES256-SHA256
                AES128-SHA
                AES256-SHA
                AES
                CAMELLIA
                DES-CBC3-SHA
                !aNULL !eNULL !EXPORT !DES !RC4
                !MD5 !PSK !aECDH
                !EDH-DSS-DES-CBC3-SHA
                !EDH-RSA-DES-CBC3-SHA
                !KRB5-DES-CBC3-SHA"

SSLHonorCipherOrder     on

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

Note

That last entry, SSLOpenSSLConfCmd, is only available in Apache 2.4.8+ (not the stock CentOS 7's 2.4.6). However, thanks to this note, if we are running 2.4.7 then we can append the parameters to the certificate file!

cat dhparams.pem >> {path to}ssl.em

See the note for Postfix too!

Document Actions