Every month there are articles on the web about some app or platform using outdated crypto configurations in its SSL implementation. This has gotten me worried... what about my own implementations?
What exactly should I do to configure OpenSSL in the most secure fashion when I use it in an app for serving and/or consuming HTTPS? (e.g. in combination with cURL)
Aside from configuration, what other steps must be taken to ensure that OpenSSL is used securely? Are there any special steps I should take, e.g. in relation to the public key infrastructure?
Is there some "known good" configuration available on the web?
Ensure that your certificate provider signs your certificate with a SHA1 or better (SHA2 preferred) hash.
HTTPS (SSL/TLS) is only effective if you verify the certificate. This is most commonly performed by the client. If the client does not verify the identity of the server by verifying the certificate, you are subject to man in the middle attacks.
You can configure the server so that it does not allow the older (SSL) protocol, and instead requires the latest TLS protocol, which is cryptographically stronger (e.g. SHA1 and MD5 in the pseudo-random function instead of just MD5 in TLS 1.0, and TLS 1.2 uses SHA2).
When creating your certificate key pair, choose a longer key (e.g. 2048 bit is preferred over 1024 bit).
There are some good recommendations on the Mozilla wiki:
Security/Server Side TLS