Why do web applications need secure SSL/HTTPS?
Using web applications without HTTPS/SSL can permit sensitive information such as credentials transported insecurely, and these can be eavesdropped. However, SSL is an old technology and many earlier versions contain their own security vulnerabilities such as POODLE attacks or weak ciphers. To combat this you can align the SSL configuration against modern standards.
How to set up Apache using the Mozilla Intermate SSL standard:
Navigate to Mozilla’s SSL Configuration Generator and generate a Intermediate configuration for SSL, using the Mozilla SSL Configuration Generator.
- Navigate to https://ssl-config.mozilla.org/
- Select Apache under Server Software
- Select Intermediate under Mozilla Configuration
- Enter the Server Version and OpenSSSL Version in the Enviroment settings. Or leave as default for the latest versions
- The Intermediate SSL configuration for Apache will be generated below
- Copy the contents of the generated text
Remember to modify the configuration so it fits your server
Edit your Apache SSL configuration file sudo nano /etc/apache2/sites-available/[YOUR-SITE-NAME]-ssl.conf
Paste the contents of the Mozilla SSL configuration
How to set up nginx using the Mozilla Intermate SSL standard:
Navigate to Mozilla’s SSL Configuration Generator and generate a Intermediate configuration for SSL, using the Mozilla SSL Configuration Generator.
- Navigate to https://ssl-config.mozilla.org/
- Select Nginx under Server Software
- Select Intermediate under Mozilla Configuration
- Enter the Server Version and OpenSSSL Version in the Enviroment settings. Or leave as default for the latest versions
- The Intermediate SSL configuration for Nginx will be generated below
- Copy the contents of the gernerated text
Remember to modify the configuration so it fits your server
Edit your Nginx SSL configuration file sudo nano /etc/nginx/sites-enabled/[YOUR-SITE].conf
Paste the contents of the Mozilla SSL configuration
How to set up Apache using the Mozilla Modern SSL standard:
Navigate to Mozilla’s SSL Configuration Generator. Generate a modern configuration for SSL, using the Mozilla SSL Configuration Generator.
- Navigate to https://ssl-config.mozilla.org/
- Select Apache under Server Software
- Select Modern under Mozilla Configuration
- Enter the Server Version and OpenSSSL Version in the Enviroment settings. Or leave as default for the latest versions
- The modern SSL configuration for Apache will be generated below
- Copy the contents of the gernerated text
- Edit your Apache SSL configuration file
sudo nano /etc/apache2/sites-available/[YOUR-SITE-NAME]-ssl.conf
- Paste the contents of the Mozilla SSL configuration
- Remember to modify the configuration so it fits your server
How to set up nginx using the Mozilla Modern SSL standard:
Generate a modern configuration for SSL, using the Mozilla SSL Configuration Generator.
- Navigate to https://ssl-config.mozilla.org/
- Select Nginx under Server Software
- Select Modern under Mozilla Configuration
- Enter the Server Version and OpenSSSL Version in the Enviroment settings. Or leave as default for the latest versions
- The modern SSL configuration for Nginx will be generated below
- Copy the contents of the generated text
Remember to modify the configuration so it fits your server
Edit your Nginx SSL configuration file sudo nano /etc/nginx/sites-enabled/[YOUR-SITE].conf
Paste the contents of the Mozilla SSL configuration
How to check your SSL configuraiton
You can use a tool called sslyze to confirm the compliance of the SSL configuration to the Mozilla Intermediate or Modern standards. Our pen-test team would not recommend Qualys as it uses its own checks rather than comparing it to the aforementioned standards.