Recently , an article on slashdot caught my eye that mentions lots of universities in the UK have weak SSL setups. Some of our websites used Extended Validation for SSL and these seemed like some good ones to test our setup to make sure we have the safest setups. One common issue that is easily fixed is to ensure that the ciphers used are in the correct order and ensure RC4 is used for clients that only support TLS 1.0
The change to the apache SSL config is:
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
A recently launched tool from Qualys labs will test SSL websites and give you a grading. The sites we run, now come out with an A 🙂
Their stats say out of the 127,000 sites that have run the tests – only 12% are secure.
