As of 30th June 2018 the PCI security standards council has made all SSL connection below TLS 1.1 a fail, as a result of this any SSL detections below TLS 1.1 are now marked as high level vulnerabilities, this guide is also applicable to all weak cypher issues as well and by following these practices those issue should be resolved as well.
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
It is recommended that you upgrade all services to use at least TLS 1.1 (with TLS 1.2 being the stronger recommendation).
Doing this depends on the type of server being used, below are links to guides for a few common situations.
IIS
It's recommended to download and use IIS crypto to help with the configuration of IIS, this simple software package can help with updating the cypher configuration of IIS without having to get into the IIS internals.
https://www.nartac.com/Products/IISCrypto/
Nginx
1. Disable everything below TLS 1.1
ssl_protocols TLSv1.1 TLSv1.2;
2. Optimise cipher suites
Configure nginx to tell clients that we have a preferred list of ciphers that we want to use.
ssl_prefer_server_ciphers on;
The following is a list of good cipher suites you can start with, though these can be further configured.
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
3. DH Params
This is used in the key exchange used in SSL it's recommend to be configured.
ssl_dhparam /etc/nginx/certs/dhparam.pem;
You can use openssl dhparam
to generate parameters:
openssl dhparam 2048 -out /etc/nginx/certs/dhparam.pem
Generate DH parameters with at least 2048 bits. If you use 4096 bits for your TLS certificate you should match it in DH parameters too.
Further information can be found in the nginx documentation, http://nginx.org/en/docs/http/configuring_https_servers.html
Apache
TLS1.2 is now available for apache, to add TLS1.1 and TLS1.2 you just need to add in your https virtual host configuration:
SSLProtocol -all +TLSv1.1 +TLSv1.2
by the way you can increase the Cipher suite too using:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$
This is used in the key exchange used in SSL it's recommend to be configured.
SSLDHParametersFile "/PATH/TO/YOUR/CERTIFICATE/FILES/dhparams.pem"
More information can be found in the apache documentation, https://httpd.apache.org/docs/2.4/ssl/
Comments
0 comments
Article is closed for comments.