I'm really hoping someone can help. We're running Centos 6.5(final)/Apache 2.2.15 and an ssl version check returns v1.01.1e fips. The basic issue is that we need to harden our security settings however we're failing to get an A rating at SSL labs, only achieving a B rating, primarily it seems due to less than ideal protocol support
We first attempted to update the SSLProtocol as follows in /etc/httpd/conf/httpd.conf:
Code: Select all
SSLProtocol -ALL +TLSv1.1 +TLSv1.2 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
The same update was also made in ssl.conf and after restarting the service, again the same result -TLS1.0 is showing as enabled.
I don't quite understand why there's been no change to the scan results after making these changes. I wonder if it's because our version of mod_ssl does not support the new, more secure ciphers, although I read somewhere that updates to mod_ssl are likely to have been backported.
On a separate note, should we look at upgrading Centos to 6.7. Would that automatically bring with it the necessary updated packages? Or should we be running a yum update? I have to admit, server security not being my forte I'm struggling somewhat to get to grips with how best to proceed. There seems to be so many variable to consider.
I'd be really grateful for any assistance that can be offered.
Many thanks in advance.