I'm switching back to OpenSSL on my Ubuntu Apache Servers

Many moons ago I posted about how I switched from OpenSSL to GnuTLS. That was because I wanted to mitigate against The BEAST attack, and at that time the version of OpenSSL that came with Ubuntu didn't support TLS 1.1 or TLS 1.2.

Well, in the latest Ubuntu releases OpenSSL does support it, but the funny thing is that something is wrong with GnuTLSPriorities in Ubuntu 14.04. For some reason, the string doesn't work anymore and I can't so simple things like disable SSL 3.0 which you need to do to mitigate against the new POODLE vulnerability.

I decided to switch back to OpenSSL, and in order to be PCI compliant and get an A+ rating on SSLLabs.com I also added the following to my /etc/apache2/sites-enabled/default-ssl.conf file:

SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Content-Type-Options nosniff

You need to be sure that you have headers enabled for the above to work.

Once all of that is done you should be good to go!

[Code via Cipherli.st]

Related articles

• Disable SSLv3 in Apache, Nginx and IIS against POODLE Vulnerability
• Security/Server Side TLS
• Easy SSLv3 "poodle" vulnerability test (and the fix for Jboss/Tomcat)
• POODLE - An SSL 3.0 Vulnerability (CVE-2014-3566)