Ssl – Server SSL configuration to stop warnings and errors

apache-2.2Securityssl

I've just setup SSL on the main domain in my whm/cpanel setup, the domain has it's own ip and is all up and running correctly.

However when browsing the site in Chrome I get the following:

Your connection to example.com is encrypted with 256-bit encryption.
However, this page includes other resources which are not secure.
These resources can be viewed by others while in transite and can be
modified by an attacker to change the behaviour of the page.

The connection uses SSL 3.0.

The connection is encrypted using AES_256_CBC, with SHA1 for message
authentication and DHE_RSA as the key exchange mechanism.

The connection is not compressed.

The connection had to be retried using SSL 3.0. This usually means
that the server is using very old software and may have other security
issues.

I have checked the WHM > Server Configuration > Apache Configuration > Global Configuration

and SSL Cipher Suite is set to the following, as recommended:

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH PCI recommended

I also have the following SSL report: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=https%3A%2F%2Fmostplays.com%2F&protocol=https

I also get this error when displaying a blank html file with just a title so it isn't from includes from external sources.

<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Test Secure</title>
</head>

<body>
<h1>Test Secure</h1>
</body>
</html>

I've checked the server software and it's using openSSL 0.9.8e, could this be a factor?

What is it that I'm doing wrong? are there any more settings that would help to diagnose the problem?

Best Answer

However, this page includes other resources which are not secure. These resources can be viewed by others while in transite and can be modified by an attacker to change the behaviour of the page.

Open the Developer Tools panel in Chrome (View -> Developer) and go to the network tab. It will list everything that it's loading. In addition, click on the warnings/errors icons at the bottom right. They'll open the list of errors, including messages such as:

The page at ... displayed insecure content from http://...
Unsafe JavaScript attempt to access frame with URL https://.../ from frame with URL http://.... Domains, protocols and ports must match

Most likely, it will come from frames and contents embedded from ads. Once you've found the "offending" resources in the list in the network tab, the "Initiator" column should give you a clue regarding what's loading them.

The connection had to be retried using SSL 3.0. This usually means that the server is using very old software and may have other security issues.

Make sure you have this (in addition to the SSLCipherSuite directive):

SSLProtocol all -SSLv2

Related Solutions

SSL – Multiple SSL Domains on the Same IP Address and Port

For the most up-to-date information on Apache and SNI, including additional HTTP-Specific RFCs, please refer to the Apache Wiki

FYsI: "Multiple (different) SSL certificates on one IP" is brought to you by the magic of TLS Upgrading. It works with newer Apache servers (2.2.x) and reasonably recent browsers (don't know versions off the top of my head).

RFC 2817 (upgrading to TLS within HTTP/1.1) has the gory details, but basically it works for a lot of people (if not the majority).
You can reproduce the old funky behavior with openssl's s_client command (or any "old enough" browser) though.

Edit to add: apparently curl can show you what's happening here better than openssl:

SSLv3

mikeg@flexo% curl -v -v -v -3 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: serialNumber=wq8O9mhOSp9fY9JcmaJUrFNWWrANURzJ; C=CA; 
              O=staging.bossystem.org; OU=GT07932874;
              OU=See www.rapidssl.com/resources/cps (c)10;
              OU=Domain Control Validated - RapidSSL(R);
              CN=staging.bossystem.org
*    start date: 2010-02-03 18:53:53 GMT
*    expire date: 2011-02-06 13:21:08 GMT
* SSL: certificate subject name 'staging.bossystem.org'
       does not match target host name 'www.yummyskin.com'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'staging.bossystem.org'
does not match target host name 'www.yummyskin.com'

TLSv1

mikeg@flexo% curl -v -v -v -1 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: C=CA; O=www.yummyskin.com; OU=GT13670640;
              OU=See www.rapidssl.com/resources/cps (c)09;
              OU=Domain Control Validated - RapidSSL(R);
              CN=www.yummyskin.com
*    start date: 2009-04-24 15:48:15 GMT
*    expire date: 2010-04-25 15:48:15 GMT
*    common name: www.yummyskin.com (matched)
*    issuer: C=US; O=Equifax Secure Inc.; CN=Equifax Secure Global eBusiness CA-1
*    SSL certificate verify ok.

Ssl – Images on IIS server not keeping HTTPS protocol

More information needed, so it's probably time to break out the difference engine.

Grab the Web Deployment Tool (MSDEPLOY) from microsoft.com, and create a package from the working web server.

Then, do an msdeploy -verb:sync with -whatif to compare the package with the prod server, and reveal differences in configuration.

If there is no difference, they will perform identically. It's not, so there is one, it's just not where you've looked so far.

Best Answer

Related Solutions

SSL – Multiple SSL Domains on the Same IP Address and Port

Ssl – Images on IIS server not keeping HTTPS protocol

Related Topic