{"id":443,"date":"2019-01-18T14:42:00","date_gmt":"2019-01-18T21:42:00","guid":{"rendered":"https:\/\/www.ngfamily.dynu.com\/ngwp\/?p=443"},"modified":"2023-10-05T09:26:36","modified_gmt":"2023-10-05T15:26:36","slug":"hardening-ssl-settings-to-appease-htbridge","status":"publish","type":"post","link":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/?p=443","title":{"rendered":"Hardening SSL settings to appease htbridge"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Add OCSP<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>SSLUseStapling On SSLStaplingCache \"shmcb:\/run\/httpd\/ssl_stapling(32768)\"<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Add HSTS<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>Header always set Strict-Transport-Security \"max-age=63072000;includeSubdomains;\"<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Disable TLSv1.0<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SSLProtocol all -SSLv2 -SSLv3 -TLSv1<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Disabling 3DES ciphers<\/h2>\n\n\n\n<p>I was working on the ngfamily.dynu.com front end and noticed that the 3des cipher were still accepted:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA\nTLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA<\/code><\/pre>\n\n\n\n<p>This fails HIPAA guidance, which I don&#8217;t have any information that needs to be protected, but why not disable these ciphers.<\/p>\n\n\n\n<p>Long story short, I found out the problem started from the apache conf from let&#8217;sencrypt and so the answer is in \/etc\/letsencrypt\/options-ssl-apache.conf: delete all ciphers with &#8220;DES-CBC3-SHA&#8221; in the SSLCipherSuite<\/p>\n\n\n\n<p>:ECDHE-ECDSA-DES-CBC3-SHA<br>:ECDHE-RSA-DES-CBC3-SHA<br>:EDH-RSA-DES-CBC3-SHA<br>:DES-CBC3-SHA<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Add OCSP Add HSTS Disable TLSv1.0 Disabling 3DES ciphers I was working on the ngfamily.dynu.com front end and noticed that the 3des cipher were still accepted: This fails HIPAA guidance, which I don&#8217;t have any information that needs to be protected, but why not disable these ciphers. Long story short, I found out the problem [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":444,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","footnotes":""},"categories":[28,19],"tags":[],"class_list":["post-443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-programming","category-projects"],"_links":{"self":[{"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=\/wp\/v2\/posts\/443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=443"}],"version-history":[{"count":1,"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=\/wp\/v2\/posts\/443\/revisions"}],"predecessor-version":[{"id":445,"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=\/wp\/v2\/posts\/443\/revisions\/445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=\/wp\/v2\/media\/444"}],"wp:attachment":[{"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ngfamily.freeddns.org\/ngwp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}