Tech Blog

AppRoad-Warriers of one of my customers who use Phones and Tabletts to access an SSL-secured Web-Shop built with Magento complained about diverse SSL-Errors.
So I went into investigation and decide to set up the SSL Cipher Suites, PFS Security and TLS from scratch...

To check my efforts and for quality assurance, I used SSL Checker from SSLLabs and checked against Mozilla Config Generatot

Common Problems found and fixed:

  • Upgrade Apache2 and Openssl on the webserver.
    • Root-CA and Intermediate Cert missingDownload your intermediate Certificates and Root-cert from your Trustcenter and install it:
SSLEngine On
SSLCertificateFile /etc/apache2/apache2.pem
SSLCACertificateFile /etc/apache2/root.ca
SSLCertificateKeyFile /etc/apache2/apache2.key
SSLCertificateChainFile /etc/apache2/intermediate.cert
  • Weak Diffie-Hellman Key for TLS regenerate new DH-Keys with and append the generated Text to your certificate 
    openssl dhparam -out /etc/ssl/dhparams.pem 2048

    append it to your Cert:

    cat /etc/ssl/dhparams.pem >> apache2.pem
    • and - of course - check and reload apache config:
    apache2ctl configtest ; apache2ctl graceful

     

    After applying all of these Steps, my customers Site reached Grade A on Qualis SSL Checker. The config snippet of the host config:

    SSLEngine On
    SSLCertificateFile /etc/apache2/apache2.pem
    SSLCACertificateFile /etc/apache2/root.ca
    SSLCertificateKeyFile /etc/apache2/apache2.key
    SSLCertificateChainFile /etc/apache2/intermediate.cert
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    # Only for Apache2 newer than 2.4.7
    # SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparams.pem"
    SSLHonorCipherOrder     on

     

Wir nutzen Cookies auf unserer Website. Einige von ihnen sind essenziell für den Betrieb der Seite, während andere uns helfen, diese Website und die Nutzererfahrung zu verbessern (Tracking Cookies). Sie können selbst entscheiden, ob Sie die Cookies zulassen möchten. Bitte beachten Sie, dass bei einer Ablehnung womöglich nicht mehr alle Funktionalitäten der Seite zur Verfügung stehen.