virtual.wf's HTTPS configuration needs updating

[konklone]

The server is currently vulnerable to Heartbleed, to an OpenSSL MITM vulnerability, and is using SHA-1-signed certificates.

The SSL Labs analysis lays out the issues:

This could also be a good time to tighten up the ciphers to favor forward secrecy, and to implement the HSTS header, so that browsers skip over the http:// URL entirely and don't wait for the redirect.

On that (side) note, the project uses an http:// URL in a couple places:

[eric79]

@konklone thank you! You are quite thorough. 😄

How's this for a candidate for most-improved award?

Heartbleed and other vulnerability mitigated, with new post-mitigation certificates signed with SHA-2. I moved the ciphers one step in the right direction, though they still use RC4 on IE 10 and older. I'm not aware that anything better can be done for them. Any ideas?

We also now use the HSTS header so repeat visitors will not have to wait for the redirect, and I changed those references to http to https.

Thank you again, your help is much appreciated. Any time you want to swing through our site and poke at it, feel free. 😄

[eric79]

I think I will go ahead and close this issue, and if you have any thoughts on the RC4 issue, we can make that a new issue. Thanks again.

[konklone]

How's this for a candidate for most-improved award?

I moved the ciphers one step in the right direction, though they still use RC4 on IE 10 and older. I'm not aware that anything better can be done for them. Any ideas?

If you control the ciphersuites, I think you can do better - here's my cipher choices for konklone.com

• SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
• nginx config portion: https://gist.github.com/konklone/6532544#file-nginx-conf-L43-L50

That covers all the IEs, with a non-FS carveout for IE8+XP. It doesn't use RC4 anywhere.

One other thing you can do to bump up the key exchange strength is pre-generate 2048-bit DH parameters, so it's the same size as your key. Your version of Apache is defaulting to 1024-bit parameters, which keeps your key strength score at 80, and is why it shows 1024-bit marks here:

If you upgrade Apache, version 2.4 defaults DH params to match key-length -- or if you keep 2.2, you can run openssl dhparam -outform pem -out dhparam2048.pem 2048, and then refer to that file in Apache using SSLDHParametersFile /path/to/dh2048.pem.

Thank you again, your help is much appreciated. Any time you want to swing through our site and poke at it, feel free. 😄

My pleasure, thanks for being so responsive and putting the legwork in on this!

[eric79]

I'm reopening this issue, so I don't forget to address your other points.

... and thanks for the medal. 😉