Re: [gentoo-user] apache-2.2.27 disable SSLCipherSuite LOW 40 56 bit

Sun, 22 Jun 2014 09:59:22 -0700 

Thank you.  With the setting below in httpd.conf

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!RC4:!ECDHE-RSA-DES-CBC3-SHA:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS 

and in vhosts.conf with:
NameVirtualHost *:443
...
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

... 


I get "A+" rating, so I think should be OK

Certificate 100
Protocol Support 95
Key Exchange 80
Cipher Strength 90

--
Joseph


On 06/22/14 09:55, Mick wrote:

On Sunday 22 Jun 2014 02:29:44 Joseph wrote:

Before upgrading to apache 2.2.27 I had this line in httpd.conf
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

and I was getting "A-" rating from: www.ssllabs.com

Now after upgrading to apache-2.2.27 I'm getting "C" because of weak Cipher
Strength inclusion:

TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK      40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK      40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK      40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1,
Ys: 64)   FS   WEAK      40 TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK      56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)
 FS   WEAK      56

How to get rid of it?  I've tired setting in 00_default_ssl_vhost.conf

SSLProtocol all -SSLv2 -SSLv3


It should be better to set -ALL to disable all protocols and then explicitly
enable only the protocols that you want to trust as secure, e.g. +TLSv1.2


SSLCompression Off
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED
!aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"


This leaves the anonymous DH enabled which will give you a poor rating.


or
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT


This enables RC4 which may give you a poor rating - not sure.  Better you move
it down the list so that more secure ciphers are tried first.


nothing helps, I'm still getting "C" because of weak Cipher Strength
inclusion.


This is because you inadvertently allow weak ciphers in your directives above.

Try running openssl ciphers -v <string> to see what your directives allow and
in what order.  Then modify them accordingly.

HTH.
--
Regards,
Mick

























					Reply via email to