Strong SSL Security on OwnCloud

By | May 29, 2017

Having an OwnCloud installation on the home network is very useful but to use it at the maximum potential you got to open it to the world.

One of the best tutorials to install OwnCloud on Fedora 20+ is the online tutorial from BitFresh.

By following all the steps you get a nice secure OwnCloud installation as a start.

What is the tutorial lacking is the next step in securing the site, the step after which we can get an A rating for SSL security.

The best way to test how secure is your newly installed site is to go to the Qualys SSL Lab test page. There your site will be analyzed for all the current known weaknesses.

You will notice that the list of vulnerabilities in the standard Fedora+apache+Onwcloud installation is quite extensive. As a result there a lot of holes that must be closed.

The tutorial I followed to start closing the security holes is Strong SSL Security on Apache2 . Of course there are some changes from that tutorial. During the frequent iteration steps of changing settings and retesting the site with the Qualys SSL Lab test page. there were some extra changes.

The end result for the owncloud.conf configuration file for apache looks like the following:

<Virtualhost 192.168.1.103:443>

SSLEngine On
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/mycert.crt
SSLCertificateKeyFile /etc/ssl/certs/mycert.key

ServerName "home.voina.org"

DocumentRoot "/media/storage/www/html/owncloud/owncloud"

CustomLog "/var/log/httpd/home-cloud-access.log" combined
ErrorLog "/var/log/httpd/home-cloud-error.log"
<Directory "/media/storage/www/html/owncloud">
 Options Indexes FollowSymLinks MultiViews
 AllowOverride All
 Require all granted
 Satisfy Any
</Directory>

</Virtualhost>

Some things to note:

<ul>
	<li>All the accepted <em>SSLCipherSuite</em> are listed in the configuration eliminating the ones having known vulnerabilities</li>
	<li>SSL v2, and SSL v3 are both disabled due o known security issues</li>
	<li>I force the usage of a very strong pair of Server Key and Self Signed Certificate: The Key is RSA 2048 bits (e 65537)&nbsp; and the Signature algorithm: SHA256withRSA</li>
</ul>

As a result I got a nice A rating if you do not take into account the trust issues caused by the fact that I use a self signed certificate.

SSLTest

Update:

By switching from self signed to LetsEnrcypt certificates I was able to easy get an A+ rating

[paypal_donation_button]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.