Enhancing the security of your apache website with TLS and reduced cipher suites

Introducing Transport Layer Security (TLS), fine tuning cipher suites and increasing general website security posture is an essential task.

Whether your running an e-commerce site or simply a blog, adding SSL encryption to your website can assist with keeping user traffic encrypted and boost your website rankings.

The latter, which some people might not be aware of, was documented in an interesting blog post released by Google back in 2014 informing web administrators that enabling TLS (the successor to SSL) on their websites actually increases Search Engineer Optimisation (SOE). A great move by Google which further promotes a ‘security first’ principle and entices administrators to jump on board by giving them a 1-up over their unsuspecting rivals in its search engine results.

All this got me thinking, how does my website stack up against others from a security standpoint and how can I get an SSL certificate by the cheapest means possible (free sounds good!).

Prerequisites:

  • Ubuntu host with Apache installed
  • Existing website and SSL Certificate (we can update this later!)

Inspecting your website’s TLS configuration

A quick google later I discovered a website that can analyse your web server, display its cipher suites and in-depth information on your current HTTPS certificate.

Qualys SSL Labs runs a thorough SSL Server Test. Simply plug-in your website URL and away you go. A multitude of information about its configuration, specifically those relating to your SSL certificate key/signature algorithm, TLS protocol and cipher suites are presented. A quick scan over my results at the time showed my apache configuration on Ubuntu (16.04) was presenting many TLS configurations that really should be switched off.
The last couple of years have kept web admins busy plugging holes, Heartbleed and more recently Poodle to name a few, so switching off any obsolete support is a good idea.

The first step for me was to turn off the older cipher suites and TLS 1.0, 1.1.

TLS negotiation is opportunistic, meaning that the client and server will try to negotiate the most secure channel available to each other at the time. It is all well and good enabling backwards compatibility, but at some point in time administrators need to stop supporting bad behaviors such as irregular patching. I found a cool website over here that will help you generate an SSL configuration for apache and allow you to restrict its backwards compatibility.

1. Determine your Apache and OpenSSL versions:

apache2 -v

openssl version

2.  Enter the above version information as best you can in to the Mozilla SSL Configuration Generator. I choose Modern as only want to support newer web browsers.

3. Modify your Apache SSL configuration file. On a default installation of Ubuntu it lives in the following directory:
vi /etc/apache2/sites-available/default-ssl.conf

The SSL configuration parameters sit outside the <VirtualHost *:443> code block as pictured below, paste these in and save your file.

4. Restart Apache.
apachectl restart

Test your website and be sure to monitor the apache log file for any errors.
tail -f /var/log/apache2/error.log

5. Head back over to Qualys SSL labs SSL Server Test and analyse your website again. Check out the Configuration section and note that TLS 1.2 and only the more secure ECDHE suites are enabled now. Further down the page a browser compatibility list is displayed and provides a useful insight as to which clients will no longer be able to access your website!

Introducing Let’s Encyrpt Certificate Authority

I messaged a colleague at work today ‘WANTED: Cheapest SSL certificate possible’, after all, who doesn’t like being shrewd?
Without hesitation he pointed me in the direction of Let’s Encrypt. An amazing free service that allows anyone to obtain an SSL certificate. Surely there must be a catch you ask?
Sure. They expire every 90 days and for good reasons. But don’t sweat it, more on automating the renewal process below, it’s a piece of cake.

1. Install the letsencrypt Ubuntu python client.
sudo apt-get install python-letsencrypt-apache

2. Request and install your new certificate (repeat this for every website you host).
letsencrypt --apache -d mik3y.net -d www.mik3y.net

The above code snippet allows you to specify multiple subdomains for your website. This will allow clients to connect to either URL if configured in Apache and DNS. Omit one of the -d parameters to only grab a certificate with one subdomain.

You will be prompted to enter in your recovery email address. This will allow you to perform recoveries and receive notices from Lets Encrypt. In addition you can switch your website to support only HTTPS  and a HTTP->HTTPS redirect will be automatically put in place.

An assortment of public certificates and private key files will now be in /etc/letsencrypt/live/ under a subdirectory of your website. You should probably back these up.

letsencrypt will automatically modify the apache configuration file and restart the daemon. Thus enabling your shiny new certificate.

3. Head back over to Qualys SSL labs SSL Server Test. You’ll be able to perform another test to confirm that your certificate has been updated to SHA256 (if previously SHA1).

Automating Let’s Encyrpt certificate renewal

1. Perform a test renewal (this can be done even if not expired)
letsencrypt renew

2. To configure an auto renewal every day at 3am create a cron job with the following command.
crontab -e
and paste the following line in:
0 3 * * 1 /usr/bin/letsencrypt renew >> /var/log/letsencrypt.log

You can view the nightly renewal logs in /var/log/letsencrypt.log to see how its tracking.