Linux: A+ Certification ssllabs certificate configuration for your apache website (Updated 15 June 2015)

Hi Guys,


NOTE: This has been updated on 15 June 2015 to include use of sha256 and sha256 startcom intermediate cross signing certificate. This will still give you an A+ rating.

Here is a quick configuration to use allowing A+ certification for your apache webserver.
NOTE: In order for ECDHE to work you MUST be using apache2.4 or greater(see here)
First goto your apache conf dir (/etc/apache2/)
create an ssl directory if it does not exist

mkdir ssl
cd ssl

If you have multiple vhosts it is a good idea to separate your certificates

mkdir vhostname
cd vhostname

now generate your CSR we will use to request our certificate

openssl req -sha256 -out vhostname.csr -new -newkey rsa:4096 -nodes -keyout vhostname.key

This will generate a 4096bit RSA CSR we will use for the next step.
Copy the content of the vhostname.csr

Goto the following website:
StartSSL
Goto the validation wizard and generate a domain validation for your domain

Once you have received your validation email and entered the key go back to the certificate wizard tab
Select "Web Server SSL/TLS Certificate"
Skip the generate private key section (we created ours just before)
Paste in the content from your vhostname.csr
Create your subdomain to generate and add a SAN (eg www.vhosthostname)

Once your key has been generated create a new file "vhostname.crt" in your vhostname directory
now download the StartSSL certificate as we need to add it later in our virtualhost

wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem -O sub.class1.server.ca.pem

Secure your keys

chmod 400 *

goto your vhost configuration
(somewhere in /etc/apache2/sites-enabled/)
default is 000-default however I usually create one per site im hosting

Here is an extract:

<virtualhost *:80>
 ServerAdmin webmaster@vhostname.com
 ServerName www.vhostname.com
 ServerAlias vhostname.com
 Redirect permanent / https://www.vhostname.com
</VirtualHost>

<virtualhost *:443>
 ServerAdmin webmaster@vhostname.com
 ServerName www.vhostname.com

 Header always set Strict-Transport-Security "max-age=163072000; includeSubDomains"

 DocumentRoot /var/www/vhostname
 <directory />
  Options FollowSymLinks
  AllowOverride None
 </Directory>
 <directory /var/www/vhostname>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>

 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 <directory "/usr/lib/cgi-bin">
  AllowOverride None
  Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  Order allow,deny
  Allow from all
 </Directory>

 ErrorLog ${APACHE_LOG_DIR}/error_vhostname.log

 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel warn

 CustomLog ${APACHE_LOG_DIR}/access_vhostname.log combined

 SSLEngine on
 SSLProtocol all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 SSLCertificateFile /etc/apache2/ssl/vhostname/www.vhostname.com.crt
 SSLCertificateKeyFile /etc/apache2/ssl/vhostname/www.vhostname.com.key
 SSLCertificateChainFile /etc/apache2/ssl/vhostname/sub.class1.server.ca.pem
</VirtualHost>
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLCACertificateFile /etc/apache2/ssl/vhostname/sub.class1.server.ca.pem
SSLStaplingCache shmcb:/var/run/ocsp(128000)

We can see here we have a perm redirect from the HTTP site to the HTTPS site.
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" will force the browser from now on to connect ONLY via HTTPS

We turn on the SSLEngine
We disable SSLv2 and v3(not secure)
We force the ciphers to be honored in the order listed(eg to use the strongest possible
We set the CipherSuite (This method only allows AES-265 which can disable java from working. In this case use the following:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

The SetEnvIf protects server side against an attack known as BEAST
We then set our certificates

Outside of the VirtualHost tag we set OCSP stapling which stops the clients going to check OSCP every request(speeds up processing keeping it server side).

Now restart apache (service apache2 restart) and you should be good to go. Check out your score on https://www.ssllabs.com

Let me know how you get on down below in the comments. Obviously I have written this very "quickly" and it requires some knowledge of linux and openssl. Using this configuration gives me the following:

Linux: Upgrading apache 2.2 to apache 2.4

Hi All,

If you are looking at upgrading apache 2.2 to apache 2.4 here is a quick guide for you (tested ubuntu 12.04 LTS)

First you need to add some repos

apt-add-repository ppa:ptn107/apache
apt-add-repository ppa:ondrej/php5

Then quickly do an update

apt-get update

Once this is complete install the upgraded 2.4.9(at time of writing)

apt-get install apache2-mpm-worker

Accept any updates to other packages and continue with the upgrade.

FYI

If you are using vhosts when you are hosting multiple sites from apache 2.4 they seemed to have changed the include in apache2.conf (located in /etc/apache2/)

If your vhosts are not working the include now looks for sites-enabled/*.conf in the apache2.conf
just edit as follows:

OLD: IncludeOptional sites-enabled/*.conf
NEW: IncludeOptional sites-enabled/*

then restart apache2

service apache2 restart

now your vhosts should be working again :)

Next guide "Getting A+ rating on globalsign sslchecker using free!!!11!!! certificates :)"

Python: Restarting and monitoring specific threads

Hi All,

Anyone who has used python before knows how painful threading can be. Especially if we have a multithreaded program that we require specific threads to "always" be alive.
Having hacked around for awhile I came up with the following solution:

import threading
import time

class ThreadRestartable(threading.Thread):
def __init__(self, theName):
threading.Thread.__init__(self, name=theName)

def run(self):
print "In ThreadRestartable\n"
time.sleep(10)

thd = ThreadRestartable("WORKER")
thd.start()

while(1):
i = 0
for t in threading.enumerate():
if t.name is "WORKER":
i = 1
print threading.enumerate()
if i == 0:
thd = ThreadRestartable("WORKER")
thd.start()
time.sleep(5)

We can see it running here:

python run.py
In ThreadRestartable
[<_MainThread(MainThread, started 139833484474176)>, ]

[<_MainThread(MainThread, started 139833484474176)>, ]
[<_MainThread(MainThread, started 139833484474176)>, ]
[<_MainThread(MainThread, started 139833484474176)>, ]
[<_MainThread(MainThread, started 139833484474176)>, ]
[<_MainThread(MainThread, started 139833484474176)>]
[<_MainThread(MainThread, started 139833484474176)>]
In ThreadRestartable

[<_MainThread(MainThread, started 139833484474176)>, ]
[<_MainThread(MainThread, started 139833484474176)>, ]

As we can see we use a named thread WORKER where we then use threading.enumerate() to look for the thread we named. If it does not exist we start it again. This would normally be used in a situation where we have a long running thread that should never end. In which case if you use the standard way of creating a thread then watch it with something like if not thread.IsAlive() and try to call start() on it again you will find python raises an assertion error. This is because the threading object needs to be recreated.
Hope this helps someone out there :)

SCOM 2012 R2: Linux Monitoring...

Hi Guys,

It has been a really long time since I posted on here but yes I am still around heh :)

Anyway I have been working with a client lately who wants to checkout the linux monitoring from SCOM, of which I have personally stayed away from (I have a unix/linux background I am paranoid to put anything MS on something like RHEL). Anyway since the client wants to get rid of the other monitoring platforms on place if possible and have all monitoring coming from one system I had no choice but to check it out.

At first most of the issues around deploying the agent happened to be with the RHEL box one of the unix guys gave me. Basically some firewall fun and adding the SCOM IP's into /etc/hosts.allow, after this I could discover the box but the install was failing at the certificate assignment. In this case it turns out I forgot to set the certificate profile run as account back in SCOM. After setting this the agent installed fine... Next I was not actually getting any performance monitoring in the console, then realizing I forgot to assign the run as profile for the unprivileged and privileged users woohoo..

So I eventually figured it out but then couldn't be bothered waiting for it to pull data so went home..

Will update you all as to if you should even bother with the linux based monitoring agents I'm guessing not :)

6/6/14 UPDATE:
So far the servers have not died which is a good thing I guess. The base RHEL pack obviously is pulling in all the std happy crap like disk usage etc other that that nothing special. I did try a bunch of management packs from an "un-named" company for MySql and Apache(httpd). I don't really have very good things to say about them I may name drop them in future :D