Next, get nmap on your server and your desktop. You have to scan the server over and over. With nmap, do this:
nmap -A -T4 myserver.com
You’ll get output like this:
Nmap scan report for myserver.com (0.0.0.0) Host is up (0.072s latency). rDNS record for 0.0.0.0 myserver.com Not shown: 927 filtered ports, 64 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.17 ((FreeBSD) mod_ssl/2.2.17 OpenSSL/1.0.0d PHP/5.3.6 with Suhosin-Patch) |_html-title: 403 Forbidden 110/tcp open pop3 Courier pop3d |_pop3-capabilities: USER STLS IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING LOGIN-DELAY(10) TOP OK(K Here s what I can do) 143/tcp open imap Courier Imapd (released 2011) |_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA STARTTLS THREAD=REFERENCES UIDPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN 443/tcp open ssl/http Apache httpd 2.2.17 ((FreeBSD) mod_ssl/2.2.17 OpenSSL/1.0.0d PHP/5.3.6 with Suhosin-Patch) |_sslv2: server still supports SSLv2 |_html-title: Site doesn't have a title (text/html; charset=iso-8859-1). 465/tcp open ssl/smtp qmail smtpd |_sslv2: server still supports SSLv2 | smtp-commands: EHLO c.slaptech.net, AUTH LOGIN CRAM-MD5 PLAIN, AUTH=LOGIN CRAM-MD5 PLAIN, STARTTLS, PIPELINING, 8BITMIME |_HELP qmail home page: http://pobox.com/~djb/qmail.html 993/tcp open ssl/imap Courier Imapd (released 2011) |_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA AUTH=PLAIN THREAD=REFERENCES UIDPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN 995/tcp open ssl/pop3 Courier pop3d |_pop3-capabilities: USER IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING OK(K Here s what I can do) TOP LOGIN-DELAY(10) 8000/tcp open http Icecast streaming media server |_html-title: Icecast Streaming Media Server Service Info: OSs: Unix, FreeBSD
My first goal is to get rid of the SSLv2 warning. Some websites said this was a PCI violation. To do this, first read
the mod_ssl docs. Then, you need to alter the configuration file a bit. My file was /usr/local/etc/apache22/extras/httpd-ssl.conf. I added this line to the global config:
SSLProtocol ALL -SSLv2
That enables all but the SSLv2 protocol, which is the oldest protocol and is considered insecure. The newer ones are SSLv3 and TLSv1.
Also, alter the ciphers. Look for the line SSLCipherSuite line and change to:
I’m not sure I have that right, but it’s mostly about enabling TLSv1, and disabling the LOW and MEDIUM grade ciphers. “TLSv1” above is an alias for a number of different ciphers. See the SSLCipherSuite section in the mod_ssl docs for more information — it’s too complex to describe here. But, in short, negotiating an SSL connection involves several phases, and in each phase, you can use different ciphers. Some are considered stronger than others. Exchanging data with these ciphers requires that both the client and the server have the required programs to handle the ciphers. That’s why there are choices — the programs will try to work with what they’ve got, and also try to use the most secure ciphers.
Your job is to disable the less secure protocol, SSLv2, and not include the less secure ciphers. Read the mod_ssl docs for more details and info on how to list available ciphers.
Next, you have to establish a new virtual server for the web store. This requires creating a new Apache conf file, using this default file as a template.
The main thing about making an SSL site is getting those certificates, putting them in a safe place, setting the permissions, and getting the server to come up. Just for starters, get a certificate from CAcert.org or make a self-signed certificate. You can “upgrade” to a commercial certificate after you’ve configured the server correctly.
But, before you can do that, you need to allocate an IP address for the website. This is a limitation of Apache and OpenSSL, at this time. Until recently, there was no way to run name-based virtual hosts with SSL; the problem was that SSL was negotiated before the hostname was sent to the server, so you could only have one certificate per IP address.
Today, there’s a feature called server name identification (SNI) that allows it. Read about gnutls and SNI and Apache with SNI. Also read Wikipedia on SNI – it indicates that any verision of IE on Windows XP does not support SNI. Therefore we can’t use SNI on the server. We must use IP addresses for vhosting.
Lock down the default virtual host.
(I’m not sure if it complies with the export laws as stated in the agreement, but it probably does.)