[QUOTE=mdeinhardt;26931]Seeting up new servers I had to dig up this information again and I also remembered the post John linked to: http://forums.interworx.com/threads/5116-Custom-SSL-CipherSuite
I’ve been following Michael’s knowlegdebase article from here https://licensecart.com/billing/plugin/support_manager/knowledgebase/view/41/a-grade-ssl-security/2/ (and always do get A+ on SSL Labs)
Does anyone know, how to extend that script (I am no programmer and would only f*** things up) and incorporate the changes described in Michael’s article into the event hook script?
I.e. add[/QUOTE]
Here is what I added to set the SSLv3 off:
After:
sed -i "s/SSLCipherSuite $oldcipher/SSLCipherSuite $newcipher/g" $file
Add:
sed -i "/SSLEngine on/a\ \ SSLProtocol All -SSLv2 -SSLv3" $file
sed -i '/^.*:443>/a\ \ Header add Strict-Transport-Security "max-age=63072000;"' $file
Okay, so I took it a step further and created a script to automate the whole process. You still need to enable the interworx plugin but everything else is done automatically:
To copy all of the code, double click and then copy it.
#!/bin/bash
# Custom Script
echo "Creating /usr/local/bin/custom_cipher_suite.sh file..."
touch /usr/local/bin/custom_cipher_suite.sh
echo "if [[ \"\$iw_working_domain\" == \"\" ]]; then" > /usr/local/bin/custom_cipher_suite.sh
echo " exit 1" >> /usr/local/bin/custom_cipher_suite.sh
echo "fi" >> /usr/local/bin/custom_cipher_suite.sh
echo "" >> /usr/local/bin/custom_cipher_suite.sh
echo "if [[ \"\$(id -u)\" != \"0\" ]]; then" >> /usr/local/bin/custom_cipher_suite.sh
echo " self=\"\$( cd \"\$( dirname \"\${BASH_SOURCE[0]}\" )\" && pwd )/\$(basename \$0)\"" >> /usr/local/bin/custom_cipher_suite.sh
echo " sudo -E bash -p \$self" >> /usr/local/bin/custom_cipher_suite.sh
echo " exit 0" >> /usr/local/bin/custom_cipher_suite.sh
echo "fi" >> /usr/local/bin/custom_cipher_suite.sh
echo "" >> /usr/local/bin/custom_cipher_suite.sh
echo "file=\"/etc/httpd/conf.d/vhost_\$iw_working_domain.conf\"" >> /usr/local/bin/custom_cipher_suite.sh
echo "" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLProtocol/d\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLHonorCipherOrder/d\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLCipherSuite/d\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLEngine on/a\ \ SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLEngine on/a\ \ SSLHonorCipherOrder On\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLEngine on/a\ \ SSLProtocol All -SSLv2 -SSLv3\" $file" >> /usr/local/bin/custom_cipher_suite.sh
# echo "sed -i '/^.*:443>/a\ \ Header add Strict-Transport-Security \"max-age=63072000;\"' $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "Changing permissions on /usr/local/bin/custom_cipher_suite.sh file..."
chmod 0770 /usr/local/bin/custom_cipher_suite.sh
chown iworx /usr/local/bin/custom_cipher_suite.sh
echo "[DONE]"
echo ""
# Hook File
echo "Creating /etc/iworx-hooks.conf file..."
touch /etc/iworx-hooks.conf
echo "Changing permissions on /etc/iworx-hooks.conf file..."
chown iworx /etc/iworx-hooks.conf
SEARCH_TEXT="/usr/local/bin/custom_cipher_suite.sh"
grep $SEARCH_TEXT /etc/iworx-hooks.conf > /dev/null
if [ $? -eq 0 ] ;
then
#DO NOTHING
echo "Modifications to /etc/sudoers already in place..."
else
echo "" >> /etc/iworx-hooks.conf
echo "Ctrl_Siteworx_Ssl install /usr/local/bin/custom_cipher_suite.sh" >> /etc/iworx-hooks.conf
fi
echo "[DONE]"
echo ""
# Alter /etc/sudoers
echo "Editing /etc/sudoers file..."
SEARCH_TEXT="/usr/local/bin/custom_cipher_suite.sh"
grep $SEARCH_TEXT /etc/sudoers > /dev/null
if [ $? -eq 0 ] ;
then
#DO NOTHING
echo "Modifications to /etc/sudoers already in place..."
else
echo "" >> /etc/sudoers
echo "%iworx ALL=(ALL) NOPASSWD:SETENV: /bin/bash -p /usr/local/bin/custom_cipher_suite.sh" >> /etc/sudoers
echo "Defaults:%iworx !requiretty" >> /etc/sudoers
fi
echo "[DONE]"
echo ""
# Modify VHosts
mkdir /etc/httpd/conf.d/backups
cd /etc/httpd/conf.d/
files="vhost_*"
for f in $files
do
case "$f" in
v hosts_000_defaults.conf)
echo "Skipping $f file..."
;;
*)
echo "Backing up $f file..."
NOW=$(date +"%m-%d-%Y-%H%M%S")
cp -f $f backups/$f.$NOW
sed -i "/SSLProtocol/d" $f
sed -i "/SSLHonorCipherOrder/d" $f
sed -i "/SSLCipherSuite/d" $f
sed -i "/SSLEngine on/a\ \ SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" $f
sed -i "/SSLEngine on/a\ \ SSLHonorCipherOrder On" $f
sed -i "/SSLEngine on/a\ \ SSLProtocol All -SSLv2 -SSLv3" $f
# sed -i '/^.*:443>/a\ \ Header add Strict-Transport-Security "max-age=63072000;"' $f
;;
esac
done
echo "[DONE]"
echo ""
echo "Restarting Apache..."
service httpd restart
echo "[DONE]"
d2d4j
April 16, 2015, 1:37am
23
Hi ctalavera
Many thanks for sharing, looks good. I’ll try it on our test server very soon, and if works as expected, will use it thanks.
Many thanks
John
It definitely works. I did all 8 of our Interworx servers earlier today. I was thinking about modifying it to update the main ssl.conf as well but I simply did those files manually.
I noticed now that on the sites we made the changes to the connections are now being redirected and forced into https://? What change is forcing this? I cannot for the life of me figure it out. Any ideas?
Justec
April 17, 2015, 9:29am
26
Normally the only thing that should be redirecting is some PHP code or an .htaccess file.
But my guess is it has to do something with this line in your script:
echo “sed -i ‘/^.*:443>/a\ \ Header add Strict-Transport-Security "max-age=63072000;"’ $file” >> /usr/local/bin/custom_cipher_suite.sh
I think this sets the entire site to only use https. From my original understanding it would just block sending anything over http, not actually redirect you to https, but reading this makes me think different:
HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in .mw-parser-outp Th...
d2d4j
April 17, 2015, 11:22am
27
Hi justin
Your correct, that’s the code that sends everything to https.
If you want it to use both, but on https you just set the line as standard for 443 ie if you view a vhost file, the header add strict-etc needs placing directly under the http 443 section.
This will allow normal 80 and 443 under strict transport.
To see what I mean, look at 3sh.co.uk , but this is in a test server which may be stopped or reloaded etc…
Many thanks
John
Okay, looks like removing that line and clearing the cache resolved that. Thanks. Although we will leave it on our sites, Didn’t want that on our hosting clients sites.