Changing SSL Ciphers

From Metro Studios Knowledgebase

Jump to: navigation, search

With the discovery of Heartbleed (circa April 2014) there was an increased focus on securing SSL encryptions across sites even further than they already were. One of the ways to achieve this was to increase the strength of the SSL Ciphers being used on the server. Below is how we accomplished this.

[edit] Create the new Conf File

  1. SSH in to the server that needs updated.
  2. Escalate to root user permissions
  3. Traverse to the Apache configuration directory.
    • Ubuntu
      cd /etc/apache2/conf.d/
    • RHEL/CentOS
      cd /etc/httpd/conf.d/
  4. Create the new conf file
    vim zz050-psa-disable-weak-ssl-ciphers.conf
  5. Insert the following code into the newly created file
    SSLProtocol all -SSLv2 -SSLv3
          SSLHonorCipherOrder on
          SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
  6. Restart Apache
    • Ubuntu
      service apache2 restart
    • RHEL/CentOS
      service httpd restart

Once you've restarted Apache successfully you should check the domains that use SSL on the server and make sure everything is still up and running. If everything looks fine, head on over to Qualys SSL Labs and test the strength of the server/domain.

Personal tools
Namespaces
Variants
Actions
Wiki Navigation
Knowledgebase
Toolbox