Howto get an A+-Rating at Qualys SSL Labs with Apache 2.2

November 1, 2014

One of my HTTPS servers currently gets an A- on Qualys SSL Labs test, as I’m running Ubuntu 12.04 LTS with Apache 2.2 which does not support the ECHDE-Cipher suites, which is required for Perfect Forward Secrecy with the Internet Explorer.

aminusrating

Upgrading to Ubuntu 14.04 needs some major rework for which I currently don’t have the time for.But there is now a trick to get that A-Rating and it is called TLS Interposer. It uses LD_PRELOAD to intercept the OpenSSL API calls and adds some additional features and security settings.

Currently there is no deb package for Ubuntu 12.04, so we need to compile it for our-self:

wget https://github.com/Netfuture/tlsinterposer/archive/master.zip
unzip master.zip
cd tlsinterposer-master/
make

Possible errors:

  • make: cc: Command not found -> install the gcc (apt-get install gcc)
  • tlsinterposer.c:29:25: error: openssl/ssl.h: No such file or directory –> Install the OpenSSL Development package (apt-get install libssl-dev)

Now we need only an make install and we’re ready to try it. For this we add

export LD_PRELOAD=/usr/local/lib/libtlsinterposer.so

at the end of

/etc/apache2/envvars

and restart Apache with

/etc/init.d/apache2 restart

And you get

aplusrating

Success!!!

You need also following for an A+ Rating:

  • Following needs to be still in the Apache config:
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCompression Off
    # SSLCipherSuite settings will be ignored
  • You need to HSTS configured, check this link for how to enable it on Apache 2.2

 

So this is with Ubuntu 12.04 … I’ve tried the same with Centos 6 but I didn’t have success.  Following problems did arise

1. Makefile

The Makefile does not support the names of the ssl libs on Centos 6 – when you compile, you get:

tlsinterposer.c:85: error: ‘DEFAULT_SSLLIB’ undeclared here (not in a function)

The Makefile has a regex that does not work with Centos 6. I changed following

# diff Makefile.orig Makefile
32c32
<       ldconfig -p | sed -n -e 's/^\t*\(libssl\.so\.[0-9]\.[0-9]\.[0-9]\).*/#define DEFAULT_SSLLIB "\1"/p' > $@
---
>       ldconfig -p | sed -n -e 's/^\t*\(libssl\.so\.[0-9][0-9]\).*/#define DEFAULT_SSLLIB "\1"/p' > $@

and deleted the file ssl-version.h and called make again and it compiled. I’ve reported that to author.

2. application’s cipher is not overwritten

Loading the TLS Interposer with putting it in /etc/sysconfig/httpd and than doing an /etc/init.d/httpd restart worked but the application’s cipher didn’t get changed. I could verify that with the test scripts which come with TLS Interposer:

# ./run_tests
gcc -O2 -Wall -Wextra simple_server.c -lcrypto -lssl -o simple_server
Test 1a pass
Test 1b FAIL!
Test 1c pass
Test 1d pass
Test 1e pass
Test 2a pass
Test 2b pass
Test 2c pass
Test 3a pass
Test 3b pass
Test 4a pass
Test 4b pass
Test 4c pass
Test 5a pass
Test 5b pass
Test 5c pass
Test 5d pass

I’ve reported that to the author. If I get an update on this I’ll report in my blog about this.

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. […] Jeśli używamy serwera Apache lub HAproxy możemy skorzystać z rad H. Schlawack’a lub R. Penz’a. […]

    Pingback by NF.sec – Linux Security Blog - Konfiguracja SSL dla nginx na 5+ — January 13, 2015 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 39 queries. 0.061 seconds.