SSL

Brewer, Beardsman, Geek, Godzilla Hunter Extraordinaire

Apache HTTPS configuration – June 2015

Apache HTTPS configuration – June 2015

HTTPS is HTTP over TLS.  It allows you to encrypt traffic to and from your web server, providing privacy and security for your clients.  As of this writing, the world is moving ever closer to HTTPS everywhere: thanks to the Snowden documents, there’s been a big push for more privacy and security.  Major companies like Google and Mozilla are securing traffic by default for all their applications.  Cloudflare is offering free HTTPS encryption between clients and their severs.  Let’sEncrypt, a new Certificate Authority offering free, secure certificates is scheduled to open it’s doors in September.

  • Chris Collins
Chris Collins 8 min read
Some Real-World Info on POODLE (CVE-2014-3566)

Some Real-World Info on POODLE (CVE-2014-3566)

TL;DR: Remove SSLv3 - the impact is likely very small

We’ve now removed SSLv3 from about 1000 servers in our environment. So far, we’ve only had one issue - a script used to call an API started to fail. The issue was the ruby rest client > 1.7.0. (Yes, that’s greater-than.)

Removing from Apache

SSLv3 is easy to remove in Apache. You probably want this in your ssl.conf (or whatever the equivalent is for your distro):

  • Chris Collins
Chris Collins 2 min read