https://github.com/billmeyer/extended-ssl-baseline
https://github.com/billmeyer/extended-ssl-baseline
Last synced: about 1 year ago
JSON representation
- Host: GitHub
- URL: https://github.com/billmeyer/extended-ssl-baseline
- Owner: billmeyer
- Created: 2017-07-11T21:18:56.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2017-07-11T21:31:03.000Z (almost 9 years ago)
- Last Synced: 2025-04-05T20:36:23.587Z (over 1 year ago)
- Language: Ruby
- Size: 1000 Bytes
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Extended SSL Baseline Profile
This InSpec profile extends the [dev-sec/ssl-baseline](https://github.com/dev-sec/ssl-baseline) profile to properly harden an Apache HTTPd SSL configuration. Specifically, it skips the __enc-cbc__ control as Apache won't load properly if the following cipher suites aren't minimally specified:
```
SSLProtocol -all +TLSv1.2
SSLCipherSuite ALL:+HIGH:!RSA:!DH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
```
resulting in the following runtime state:
```
Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-11 15:45 CDT
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
```