Say what!? SSL is secure, is there more to securing it? Yes.
Over the years, the "SSL" protocol became better and the old ciphers used with them got weaker - it's now easier to decipher and hack into. So, for your web server, what can you do to ensure that the older protocols and ciphers aren't used? Simple. You can configure the web server to accept only the STRONG ciphers and secure protocols. Here's how to configure that for lighttpd, nginx and apache:
lighttpd: ssl.use-sslv2 = "disable" ssl.cipher-list = "HIGH:MEDIUM:!ADH" nginx: ssl_protocols SSLv3 TLSv1; ssl_ciphers HIGH:MEDIUM:!ADH; ssl_prefer_server_ciphers on; apache: SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
There's also a nice little script (specifically the ssl-cipher-check.pl
script) out there that can assist with determine the SSL protocol and ciphers being used on a remote server. Here is the sample output:
Testing entic.net:443 TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:RC4-SHA - ENABLED - STRONG 128 bits TLSv1:AES128-SHA - ENABLED - STRONG 128 bits TLSv1:AES256-SHA - ENABLED - STRONG 256 bits SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:RC4-SHA - ENABLED - STRONG 128 bits SSLv3:AES128-SHA - ENABLED - STRONG 128 bits SSLv3:AES256-SHA - ENABLED - STRONG 256 bits Total Ciphers Enabled: 10
What is the downside to this? Well, we're essentially telling the web server to accept only the strong ciphers, denying anything lower. If a browser out there in some distant country requests a SSL connection over a 64bit cipher, our web site would not load.
So, please weigh the risks and benefits before enabling these configurations.