Friday, April 10, 2009

Removing SSL Vulnerabilities on Webservers

A great website for reference is here.

IIS CONFIG

Create a sslvulnerabilityremoval.reg file with the following and merge it onto the Windows Server (2003 in my case) and reboot.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000

APACHE CONFIG

Here's a basic setup in the httpd.conf file for Apache

<VirtualHost *:443>
ServerName whatever.yourdomain.com
DocumentRoot "/export/web/html"
ErrorLog logs/whatever.yourdomain.com_error_log
CustomLog logs/whatever.yourdomain.com_access_log common

<Directory "/export/web/html">
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

SSLEngine on

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/httpd/conf/ssl/whatever.yourdomain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/whatever.yourdomain.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl/intermediate.crt

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

</VirtualHost>

TESTING

You should receive an error on each of these tests.  If you receive a lot of information, you're vulnerable.

Testing for SSLv2 vulnerabilities

# openssl s_client -ssl2 -connect SERVERNAME:443

Testing for weak ciphers

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP
Posted by at
Labels: