Apache: Mitigate the CRIME and the BEAST attack

Setup the Apache web server properly to mitigate the CRIME and BEAST attack, disable SSLv2 and enable the Perfect Forward Secrecy on a Gentoo web server…

Consider the Apache Security Best Practice.

First of all, and test your Apache web server setup. If your server was graded lower than “A”, consider the following modification.

Apache Newer Than 2.2.15

Create your own, special Apache module file, e.g. 99_mod_my_own_special.conf as follows:

nano /etc/apache2/modules.d/99_mod_my_own_special.conf

and insert the following setup (comments included):

# Mitigate the BEAST attack
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:!MD5:!aNULL:!EDH

# Mitigate the CRIME attack
SSLCompression off

# Disable SSLv2 (should be by default, but anyway)
SSLProtocol All -SSLv2

# Enable Forward Secrecy while conforming to Mitigate the BEAST attack
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:!MD5:!aNULL:!EDH

Apache/2.2.15 and Older

Unfortunately, even CentOS is stable, it provides only Apache v 2.2.15 which does not provide the SSLCompression off option. Therefore, a workaround needs to be provided instead. In /etc/sysconfig/httpd add the followin instruction:

export OPENSSL_NO_DEFAULT_ZLIB=1

source.

Finito

Now, restart the server:

/etc/init.d/apache2 restart

and test you setup again.

That’s pretty much it. The setup info was inspired by this web-page and this web-page. Thanks a lot!

Advertisements
This entry was posted in Browser, Linux, Security, Server and tagged , , , , , , . Bookmark the permalink.