Upgrading Apache 2.2 OpenSSL security with TLS Interposer

SSL Labs rating AUndoubtedly, you will have heard about the weaknesses of old SSL and TLS protocol versions and ciphers. Web browsers have been updated; but the server administrators are left alone: For stability reasons, many run long-term support editions such as Ubuntu 12.04 LTS. Even without that, most will stick to the reliability of Apache 2.2, hesitant to upgrade to 2.3 or 2.4 with their manifold changes. TLS Interposer can help you make your trusty Apache 2.2 on par with the most secure web server.

If you have not installed TLS Interposer yet, please do so now using the TLS Interposer installation instructions.

Assuming Ubuntu 12.04 LTS with at least OpenSSL 1.0.1, you then add the following line to /etc/apache2/envvars:[1]Other Linux distributions will probably behave similarly

export LD_PRELOAD=/usr/local/lib/tlsinterposer.so

and restart Apache using /etc/init.d/apache2 restart. This makes sure a new process is started which inherits the newly-set environment variable.

You’re done! Your Apache 2.2 TLS configuration is state of the art! To be sure that everything works as expected, test your site settings with the Qualys SSL Labs SSL Server Tester. It should look somewhat like my results.

I still have the following settings in the Apache configuration:

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression Off
# SSLCipherSuite settings will be ignored

 

Footnotes   [ + ]

1. Other Linux distributions will probably behave similarly

Schreibe einen Kommentar