Below is a script that, via the Event Hooks plugin, will allow you to modify the default SSLCipherSuite setting whenever a new SSL certificate is installed. As always, feel free to tweak it to suit your purposes!
Thanks!
#!/bin/bash
#
# INSTALLATION:
#
# First, ensure the InterWorx CLI is installed via 'yum install interworx-cli'
#
# Install this script at /usr/local/bin/custom_cipher_suite.sh
#
# Enable the Event Hooks plugin in NodeWorx.
# Add the following line to your InterWorx Event Hook Configuration:
#
# Ctrl_Siteworx_Ssl install /usr/local/bin/custom_cipher_suite.sh
#
# Ensure that both this file *and* the Event Hook config are both readable
# and executable by the iworx user:
#
# chmod 0770 /usr/local/bin/custom_cipher_suite.sh
# chown iworx /usr/local/bin/custom_cipher_suite.sh
#
# In order for this script to run successfully, the iworx user
# must be added to the sudoers file. This can be done as follows:
#
# Run 'visudo'
# Append these lines:
#
# %iworx ALL=(ALL) NOPASSWD:SETENV: /bin/bash -p /usr/local/bin/custom_cipher_suite.sh
# Defaults:%iworx !requiretty
#
# Save and exit visudo
if [[ "$iw_working_domain" == "" ]]; then
exit 1
fi
if [[ "$(id -u)" != "0" ]]; then
self="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/$(basename $0)"
sudo -E bash -p $self
exit 0
fi
file="/etc/httpd/conf.d/vhost_$iw_working_domain.conf"
oldcipher="RC4:HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW"
newcipher="[YOUR CUSTOM CIPHERSUITE HERE]"
sed -i "s/SSLCipherSuite $oldcipher/SSLCipherSuite $newcipher/g" $file
Is there something broken with my browser is all the stuff in
not showing here?
[B]Update[/B]
Double clicking it I was able to copy paste the whole script out.
Also, if you need more info on Event Hook setup itself, check out this post:
<a href="http://forums.interworx.com/threads/8043-Event-Hooks-Setup">http://forums.interworx.com/threads/8043-Event-Hooks-Setup</a>
I did this and was still getting an F when testing the SSL for a new site I just setup and realized it was because the conf file didn’t have SSLProtocol All -SSLv2 -SSLv3
So I updated the string replace line (sed) with this:
sed -i “s/SSLCipherSuite $oldcipher/SSLCipherSuite $newcipher
SSLProtocol All -SSLv2 -SSLv3/g” $file
Now it also inserts the SSLProtocol into the conf file right after the Cipher. Pretty sure InterWorx 5.1 will fix this, but for the mean time thought this could help.
Just realized with all my testing for adding this new SSLProtocol stuff, that after adding a new SSL cert to a site, the config file is setup correctly as per my event hook. I checked this by looking at the vhost file directly.
But when I do a test on https://www.ssllabs.com/ssltest I got an F.
It seems as though the event hook is fired after the restart of apache (for the new config file).
So basically the flow is:
New cert is installed
HTTPD Vhost config file updated with SSL info (basic Iworx setup)
Apache restart
Event hook fires and changes the config file
Adding this line to right before end of the script (under the sed line) fixes this:
apachectl -k graceful
I like to use apachectl, but you could also do a service httpd restart.
Now finally have an automated setup when creating SSL sites that gives me an A on SSL Labs! Just in time for InterWorx 5.1 to come out and do it for me
This is a great script, thanks for putting it together.
I’d been manually editing vhosts on just a few domains after coming to the realization that settings already in these files will override the main httpd.conf by default.
Full set of directives from https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/ seem take the default SSL cipher settings from an F to a B on the SSL Labs test. Although once now, it seems that something overwrote my vhost-level SSL settings and they needed to be put back, possibly after a modification to SSL settings in SiteWorx.
Hi Qwidjibo
Many thanks, but you may want to lookup Licencecart (Mike) post and have A+ rating.
If I have time, I’ll look it up and post link.
Many thanks
John
