Enable HSTS by default

Hi all,

some things have changed since Michael wrote his great Knowledgebase article here http://licensecart.com/plugin/support_manager/knowledgebase/view/41/a-grade-ssl-security/2/
E.g. the cipher can now be set via the SSL dialogue in Nodeworx. But this does not apply to SSL certs saved in siteworx, does it? Looking at any sites’s vhost_domain.conf file, I don’t see any mention of the cipher anymore.
Where is the cipher stored. And how can I change it and better yet change the default cipher for all new certificates?

And how can I enable HSTS by default for new cerrtificates? Or is Michael#s way still the only way to achieve perfect results? Could I set both in ssl.conf?

Thanks

Hi Michael
Many thanks, and yes, my understanding is the SSL dialog in nodeworx sets the ciphers for all siteworx SSL as well
To be honest, you should be able to edit and input different for each siteworx accounts, but a word of warning, if you mismatch in certain conditions, apache may not restart or start due to cipher mismatch.
Sorry, I need to relook at the link for HSTS, but would think that is stil the only way.
Many thanks
John

Hi all (and John, naturally - Hi!),

I have to revisit this, as I am in the process of streamlining our certificates process. I am still not sure, where the cipher is stored now. I tested with a new domain and simply added an LE cert and it get’s an A at Qualy Labs right out of the box. So the cipher is strong, but where does it come from?

Also SSLv3 is disabled, but there is no mention of it in the domain’s vhost_domain.conf

Can anone shed light on the new SSL configuration?

Cheers,

Michael

I found that I really only have to add

Header add Strict-Transport-Security “max-age=63072000;”

or

Header add Strict-Transport-Security “max-age=63072000; includeSubDomains”

to the vhost_domain.conf in order to get an A+. So

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On

are not needed anymore and also the Cipher is set elsewhere. Still looking for an explanation resp. location though… Anybody?

The only other thing to secure a domain is then to redirect http to https and I found the easiest/best way for me is to add

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

to the vhost_domain.conf (since I have it open anyway). This has naturally has to go up top to the Port 80 configuation (e.g. right after <VirtualHost 123.123.123.1:80> )

Just thought I’d leave this here, in case anybody else is looking for it. So basically only one file needs to be edited to get an A+ at https://www.ssllabs.com/ssltest
and the whole thing is now much easier than in Michael Dance’s excellent article

The SSL config was moved out of each vhost I think with the iworx 5.1 update and into one SSL.conf for the server.
Makes it much easier to standardize SSL for the server versus having to go into each account!

/etc/httpd/conf.d/ssl.conf


Also, if you want to just change the Ciphers, you can do it through NodeWorx on the SSL page. If you want to change a protocol though, like only allow TLSv1.2, you have to just edit the config files.
You can do a lot of it with ciphers though, like !TLS1:!TLS1_1 (or something like that)

Hi

Hope your well Michael

Just a little note that if you set ciphers differently on vhost sites (which you could manually), this could lead to Apache not starting up, due to mismatches in ciphers

Many thanks

John

HI Justec,

thx a lot! I knew that conf-file, but somehow I assumed it wouldn’t be applied, I guess false memories of testing it… :wink: I will check it again.

This does make everything a lot easier, you’re right.

Hey John,

yes, very fine, thanks. And thanks a lot for the input, I know I have set some Ciphers manually (unecessarily as it turned out above) and will revert that.

Cheers,

Michael