Here're some related tips that I found useful...
Disable Weak SSL Ciphers
Add the following entries to your apache config file, which may be located here: /etc/apache2/apache2.confDisable only SSLv2
SSLProtocol ALL -SSLv2
Disable SSLv2 and Other Weak Ciphers
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
Disable SSLv2 and Other Weak Ciphers
Verify that SSLv2 has been disabled.If it says, "alert handshake failure", then SSLv2 is disabled.
$ openssl
OpenSSL> s_client -connect SERVERNAME_HERE.COM:443 -cipher LOW:EXP
CONNECTED(00000003)
84303:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_clnt.c:602:
Online Testing Services
SSL Testing
https://www.wormly.com/test_sslhttps://www.ssllabs.com/ssltest/analyze.html?d=amazon.com
Test Heartbleed Vulnerability
https://filippo.io/Heartbleed/Email Server Testing
http://mxtoolbox.com/diagnostic.aspxServer Response Time Testing
http://tools.pingdom.com/fpt/Server Testing
https://scanmyserver.com/References
http://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.htmlhttp://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html
http://hosting.com/support/ssl/view-ssl-details-via-command-line/
https://insouciant.org/tech/ssl-performance-case-study/
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
No comments:
Post a Comment