Custom SSL CipherSuite

Hi all,

Below is a script that, via the Event Hooks plugin, will allow you to modify the default SSLCipherSuite setting whenever a new SSL certificate is installed. As always, feel free to tweak it to suit your purposes!

Thanks!


#!/bin/bash
#
# INSTALLATION:
#
# First, ensure the InterWorx CLI is installed via 'yum install interworx-cli'
# 
# Install this script at /usr/local/bin/custom_cipher_suite.sh
# 
# Enable the Event Hooks plugin in NodeWorx.
# Add the following line to your InterWorx Event Hook Configuration:
# 
#     Ctrl_Siteworx_Ssl install /usr/local/bin/custom_cipher_suite.sh
# 
# Ensure that both this file *and* the Event Hook config are both readable
# and executable by the iworx user:
# 
#     chmod 0770 /usr/local/bin/custom_cipher_suite.sh
#     chown iworx /usr/local/bin/custom_cipher_suite.sh
# 
# In order for this script to run successfully, the iworx user
# must be added to the sudoers file. This can be done as follows:
# 
# Run 'visudo'
# Append these lines: 
#
#     %iworx ALL=(ALL) NOPASSWD:SETENV: /bin/bash -p /usr/local/bin/custom_cipher_suite.sh
#     Defaults:%iworx !requiretty
#
# Save and exit visudo

if [[ "$iw_working_domain" == "" ]]; then
  exit 1
fi

if [[ "$(id -u)" != "0" ]]; then
  self="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/$(basename $0)"
  sudo -E bash -p $self
  exit 0
fi

file="/etc/httpd/conf.d/vhost_$iw_working_domain.conf"

oldcipher="RC4:HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW"
newcipher="[YOUR CUSTOM CIPHERSUITE HERE]"

sed -i "s/SSLCipherSuite $oldcipher/SSLCipherSuite $newcipher/g" $file

Is there something broken with my browser is all the stuff in

 not showing here?

[B]Update[/B]
Double clicking it I was able to copy paste the whole script out.

Also, if you need more info on Event Hook setup itself, check out this post:
<a href="http://forums.interworx.com/threads/8043-Event-Hooks-Setup">http://forums.interworx.com/threads/8043-Event-Hooks-Setup</a>

I did this and was still getting an F when testing the SSL for a new site I just setup and realized it was because the conf file didn’t have SSLProtocol All -SSLv2 -SSLv3

So I updated the string replace line (sed) with this:
sed -i “s/SSLCipherSuite $oldcipher/SSLCipherSuite $newcipher
SSLProtocol All -SSLv2 -SSLv3/g” $file

Now it also inserts the SSLProtocol into the conf file right after the Cipher. Pretty sure InterWorx 5.1 will fix this, but for the mean time thought this could help.

EDIT:
I also updated the newcipher to block Diffie-Hellman Key Exchange (https://www3.trustwave.com/support/kb/KnowledgebaseArticle14785.aspx).
Added !DH to the end.

SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!DH

Just realized with all my testing for adding this new SSLProtocol stuff, that after adding a new SSL cert to a site, the config file is setup correctly as per my event hook. I checked this by looking at the vhost file directly.
But when I do a test on https://www.ssllabs.com/ssltest I got an F.

It seems as though the event hook is fired after the restart of apache (for the new config file).

So basically the flow is:

  1. New cert is installed
  2. HTTPD Vhost config file updated with SSL info (basic Iworx setup)
  3. Apache restart
  4. Event hook fires and changes the config file

Adding this line to right before end of the script (under the sed line) fixes this:
apachectl -k graceful

I like to use apachectl, but you could also do a service httpd restart.

Now finally have an automated setup when creating SSL sites that gives me an A on SSL Labs! Just in time for InterWorx 5.1 to come out and do it for me :slight_smile:

This is a great script, thanks for putting it together.

I’d been manually editing vhosts on just a few domains after coming to the realization that settings already in these files will override the main httpd.conf by default.

Full set of directives from https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/ seem take the default SSL cipher settings from an F to a B on the SSL Labs test. Although once now, it seems that something overwrote my vhost-level SSL settings and they needed to be put back, possibly after a modification to SSL settings in SiteWorx.

Hi Qwidjibo
Many thanks, but you may want to lookup Licencecart (Mike) post and have A+ rating.
If I have time, I’ll look it up and post link.
Many thanks
John