Say what!? SSL is secure, is there more to securing it? Yes.
Over the years, the "SSL" protocol became better and the old ciphers used with them got weaker - it's now easier to decipher and hack into. So, for your web server, what can you do to ensure that the older protocols and ciphers aren't used? Simple. You can configure the web server to accept only the STRONG ciphers and secure protocols. Here's how to configure that for lighttpd, nginx and apache:
lighttpd:
ssl.use-sslv2 = "disable"
ssl.cipher-list = "HIGH:MEDIUM:!ADH"
nginx:
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:MEDIUM:!ADH;
ssl_prefer_server_ciphers on;
apache:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
There's also a nice little script (specifically the ssl-cipher-check.pl
script) out there that can assist with determine the SSL protocol and ciphers being used on a remote server. Here is the sample output:
Testing entic.net:443
TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:AES256-SHA - ENABLED - STRONG 256 bits
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
SSLv3:AES256-SHA - ENABLED - STRONG 256 bits
Total Ciphers Enabled: 10
What is the downside to this? Well, we're essentially telling the web server to accept only the strong ciphers, denying anything lower. If a browser out there in some distant country requests a SSL connection over a 64bit cipher, our web site would not load.
So, please weigh the risks and benefits before enabling these configurations.
Couple of nice commands, hope this helps someone.
root@vps2:/# /usr/sbin/cfgadm -al -s "select=type(disk),cols=ap_id:info"
Ap_Id Information
c0::dsk/c0t8d0 LSILOGIC Logical Volume
c0::dsk/c0t15d0 SEAGATE ST914602SSUN146G
c0::dsk/c0t16d0 SEAGATE ST914602SSUN146G
c0::dsk/c0t18d0 HITACHI H101414SCSUN146G
c0::dsk/c0t19d0 HITACHI H101414SCSUN146G
root@vps2:/#
OR
root@vps1:~# /usr/sbin/raidctl -l
Controller: 7
Disk: 0.0.0
Disk: 0.1.0
Disk: 0.2.0
Disk: 0.3.0
Disk: 0.4.0
Disk: 0.5.0
root@vps1:~# raidctl -l -g 0.2.0 7
Disk Vendor Product Firmware Capacity Status HSP
----------------------------------------------------------------------------
0.2.0 SEAGATE ST973401LSUN72G 0556 68.3G GOOD N/A
root@vps1:~#
You can of course get all of this using prtconf -v as well.
For nginx and apache, you can just specify multiple Listen statements. For lighttpd however, you need to do it a little bit differently.
You need to make sure to specify the port for the 2nd "bind":
server.bind = "1.2.3.4"
$SERVER["socket"] == "2.3.4.5:80" {}
First, ensure your application is in Solaris's SMF. Here is an example for a Tomcat application server. The same steps will work for Glassfish and other Java applications.
Get the FMRI name. The string that starts with "svc".
root@rule:/# svcs -av |grep tomcat6
online - 6:00:59 775330 svc:/network/http:tomcat6-csk
root@rule:/#
Now set the JAVA_HOME and refresh the SMF service.
root@rule:/# svccfg -s svc:/network/http:tomcat6-csk setenv -m stop JAVA_HOME /usr/jdk/latest
root@rule:/# svccfg -s svc:/network/http:tomcat6-csk setenv -m start JAVA_HOME /usr/jdk/latest
root@rule:/# svcadm refresh svc:/network/http:tomcat6-csk
root@rule:/#
That should do it. You can then do ps -ef |grep java to check that you are using the latest JDK available on the system in /usr/jdk/latest.
From time to time, we upgrade the JDK. So, if you have applications that require a specific version you'll of course not want to use /usr/jdk/latest. You can see the other JDK versions available in /usr/jdk.
Update
For Glassfish, you can update /usr/local/glassfish/config/asenv.conf file by adding or changing AS_JAVA="/usr/jdk/latest" to it. That'll also ensure that Glassfish starts up with the correct JRE.