ClearOS Feature Request
Increase flexshare SSL tests scores - www.ssllabs.com/ssltest
Hi,
I was checking the ssl test scrore that are correct (A) with a certificate from letsencrypt.
To increase to (A+) I had to fix cypher used.
As you know this information is stored (hard coded) within Flexshare.php file.
Here is the change requested with a proposed and coded solution
In order to be more flexible to SSL evolution I've changed Flexshare.php to use SSL option from a new file : /etc/clearos/flexshare-HTTPS-options.conf
If this file do not exists, the hard coded default SSL option is dumped to this file that will look like this :
Allowing user (expert) to change it.
then the content of this file is used to fullfill the virtual host information like this :
Please find the new Flexshare.php :
Please also note that I fixed some "issue" about web share path which is sometimes :
<ul>
self::SHARE_PATH . "/$name"
$share['ShareDir']
</ul>
This value shouldn't be different unless user edit /etc/clearos/flexshare.conf
However, because web support share outside of /var/flexshare/shares i've aligned all on : $share['ShareDir']
All this changes are maked with :
Please note that the best SSL options I've founded and save into /etc/clearos/flexshare-HTTPS-options.conf are :
Where I get A+ Score with :
<ul>
Certificate : 100%
Protocol Support : 95%
Key Exchange : 90%
Cipher Strength : 90%
</ul>
Feel free to contact me for any question.
I was checking the ssl test scrore that are correct (A) with a certificate from letsencrypt.
To increase to (A+) I had to fix cypher used.
As you know this information is stored (hard coded) within Flexshare.php file.
Here is the change requested with a proposed and coded solution
In order to be more flexible to SSL evolution I've changed Flexshare.php to use SSL option from a new file : /etc/clearos/flexshare-HTTPS-options.conf
If this file do not exists, the hard coded default SSL option is dumped to this file that will look like this :
# From : /etc/clearos/flexshare-HTTPS-options.conf
# Change here your flexshare SSL Configuration
SSLEngine on
# No weak export crypto allowed
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDH+AESGCM
H+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# End of : /etc/clearos/flexshare-HTTPS-options.conf
Allowing user (expert) to change it.
then the content of this file is used to fullfill the virtual host information like this :
<VirtualHost *:443>
ServerName xxxxx
DocumentRoot /var/flexshare/shares/xxxx
ErrorLog /var/log/httpd/xxxxxxxx_error_log
CustomLog /var/log/httpd/xxxxxxxx_access_log common
# From : /etc/clearos/flexshare-HTTPS-options.conf
# Change here your flexshare SSL Configuration
SSLEngine on
# No weak export crypto allowed
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# End of : /etc/clearos/flexshare-HTTPS-options.conf
SSLCertificateFile /etc/clearos/certificate_manager.d/letsencrypt.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/letsencrypt.key
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup
</VirtualHost>
Please find the new Flexshare.php :
Please also note that I fixed some "issue" about web share path which is sometimes :
<ul>
self::SHARE_PATH . "/$name"
$share['ShareDir']
</ul>
This value shouldn't be different unless user edit /etc/clearos/flexshare.conf
However, because web support share outside of /var/flexshare/shares i've aligned all on : $share['ShareDir']
All this changes are maked with :
#Fixed should be sharedir because works on web like smabaPlease note that the best SSL options I've founded and save into /etc/clearos/flexshare-HTTPS-options.conf are :
SSLEngine on
# No weak export crypto allowed
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLOptions +StrictRequire
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Source : https://httpd.apache.org/docs/trunk/en/mod/mod_ssl.html#sslcompression
# Enabling compression causes security issues in most setups (the so called CRIME attack).
SSLCompression off
# Info : https://httpd.apache.org/docs/trunk/en/mod/mod_ssl.html#sslusestapling
# Browser are not yet ready for OCSP, neither our certificates
SSLUseStapling off
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
Where I get A+ Score with :
<ul>
Certificate : 100%
Protocol Support : 95%
Key Exchange : 90%
Cipher Strength : 90%
</ul>
Feel free to contact me for any question.
In Flexshare
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »