Announcement

Collapse
No announcement yet.

Custom SSL CipherSuite

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Custom SSL CipherSuite

    Hi all,

    Below is a script that, via the Event Hooks plugin, will allow you to modify the default SSLCipherSuite setting whenever a new SSL certificate is installed. As always, feel free to tweak it to suit your purposes!

    Thanks!

    Code:
    #!/bin/bash
    #
    # INSTALLATION:
    #
    # First, ensure the InterWorx CLI is installed via 'yum install interworx-cli'
    # 
    # Install this script at /usr/local/bin/custom_cipher_suite.sh
    # 
    # Enable the Event Hooks plugin in NodeWorx.
    # Add the following line to your InterWorx Event Hook Configuration:
    # 
    #     Ctrl_Siteworx_Ssl install /usr/local/bin/custom_cipher_suite.sh
    # 
    # Ensure that both this file *and* the Event Hook config are both readable
    # and executable by the iworx user:
    # 
    #     chmod 0770 /usr/local/bin/custom_cipher_suite.sh
    #     chown iworx /usr/local/bin/custom_cipher_suite.sh
    # 
    # In order for this script to run successfully, the iworx user
    # must be added to the sudoers file. This can be done as follows:
    # 
    # Run 'visudo'
    # Append these lines: 
    #
    #     %iworx ALL=(ALL) NOPASSWD:SETENV: /bin/bash -p /usr/local/bin/custom_cipher_suite.sh
    #     Defaults:%iworx !requiretty
    #
    # Save and exit visudo
    
    if [[ "$iw_working_domain" == "" ]]; then
      exit 1
    fi
    
    if [[ "$(id -u)" != "0" ]]; then
      self="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/$(basename $0)"
      sudo -E bash -p $self
      exit 0
    fi
    
    file="/etc/httpd/conf.d/vhost_$iw_working_domain.conf"
    
    oldcipher="RC4:HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW"
    newcipher="[YOUR CUSTOM CIPHERSUITE HERE]"
    
    sed -i "s/SSLCipherSuite $oldcipher/SSLCipherSuite $newcipher/g" $file
    Matt Parmelee
    Interworx Developer
    http://www.interworx.com/

  • #2
    Is there something broken with my browser is all the stuff in [code] not showing here?

    Update
    Double clicking it I was able to copy paste the whole script out.

    Also, if you need more info on Event Hook setup itself, check out this post:
    http://forums.interworx.com/threads/...nt-Hooks-Setup
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

    Comment


    • #3
      I did this and was still getting an F when testing the SSL for a new site I just setup and realized it was because the conf file didn't have SSLProtocol All -SSLv2 -SSLv3

      So I updated the string replace line (sed) with this:
      sed -i "s/SSLCipherSuite $oldcipher/SSLCipherSuite $newcipher\n SSLProtocol All -SSLv2 -SSLv3/g" $file

      Now it also inserts the SSLProtocol into the conf file right after the Cipher. Pretty sure InterWorx 5.1 will fix this, but for the mean time thought this could help.


      EDIT:
      I also updated the newcipher to block Diffie-Hellman Key Exchange (https://www3.trustwave.com/support/k...icle14785.aspx).
      Added !DH to the end.

      SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA 256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!L OW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!S RP:!DSS:!RC4:!DH
      Last edited by Justec; 06-17-2015, 10:21 PM.
      [ JUSTIN ]
      [ OFF unit ]
      [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
      ]

      Comment


      • #4
        Just realized with all my testing for adding this new SSLProtocol stuff, that after adding a new SSL cert to a site, the config file is setup correctly as per my event hook. I checked this by looking at the vhost file directly.
        But when I do a test on https://www.ssllabs.com/ssltest I got an F.

        It seems as though the event hook is fired after the restart of apache (for the new config file).

        So basically the flow is:
        1) New cert is installed
        2) HTTPD Vhost config file updated with SSL info (basic Iworx setup)
        3) Apache restart
        4) Event hook fires and changes the config file

        Adding this line to right before end of the script (under the sed line) fixes this:
        apachectl -k graceful


        I like to use apachectl, but you could also do a service httpd restart.

        Now finally have an automated setup when creating SSL sites that gives me an A on SSL Labs! Just in time for InterWorx 5.1 to come out and do it for me :)
        [ JUSTIN ]
        [ OFF unit ]
        [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
        ]

        Comment


        • #5
          This is a great script, thanks for putting it together.

          I'd been manually editing vhosts on just a few domains after coming to the realization that settings already in these files will override the main httpd.conf by default.

          Full set of directives from https://www.acunetix.com/blog/articl...her-hardening/ seem take the default SSL cipher settings from an F to a B on the SSL Labs test. Although once now, it seems that something overwrote my vhost-level SSL settings and they needed to be put back, possibly after a modification to SSL settings in SiteWorx.
          Corey Northcutt

          Comment


          • #6
            Hi Qwidjibo
            Many thanks, but you may want to lookup Licencecart (Mike) post and have A+ rating.
            If I have time, I'll look it up and post link.
            Many thanks
            John

            Comment

            Working...
            X