Step-2
Apply SSL error PATCH as shown below:
a. This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
Fix: Modify below parameter in SSL configurations
/etc/apache2/mods-enabled/ssl.conf
SSLProtocol all -SSLv2 -SSLv3
b. This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
c. The server does not support Forward Secrecy with the reference browsers.
Fix: Modify below parameter in apache virtualhost configurations
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
d. Enable OCSP stapling
Fix: Enable OCSP stapling in Apache, add below configurations under VirtualHost tag /etc/apache2/sites-enabled/000-default.conf
#OCSP Stapling Settings
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLCACertificateFile /etc/apache2/ssl16/full_chain.pem (Combine site's SSL and CA certificate and create a new full_chain.pem using below command)
#cat /etc/apache2/ssl/226cf6edd769a4cb.crt /etc/apache2/ssl/gd_bundle-g2-g1.crt >/etc/apache2/ssl/full_chain.pem
Enable Cache location for OCSP Stapling
Create a cache file in /var/run/ocsp
#touch /var/run/ocsp
add below parameter in /etc/apache2/sites-enabled/000-default.conf out side the VirtualHost tag
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Do a configtest to check for Apache with SSL errors.
#apachectl -t
Once after configured all above configuration restart apache service
Validate OCSP Stapling configurations test using below command
#openssl s_client -connect www.example.com:443 -status -servername www.example.com
Step-3
Re-Run the SSL Scan report for your site https://www.ssllabs.com/ssltest/