Solved

remove some SSL certificate cipher suites

Posted on 2014-04-25
4
1,025 Views
Last Modified: 2014-04-26
Hi

I've run a scan of my server to check the SSL and these have come up with a low score (I guess they should be no longer used? )

How can I amend Apache to not allow these settings? Is this even possible?

Please do not just point to information, I'm altering this on a live server so need whatever I do to work first time. :)

Here's the scan URL as the results probably mean more to you guys than they do me : https://www.ssllabs.com/ssltest/analyze.html?d=madcafe.co.uk&hideResults=on

Kind regards
Neil

TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK 40
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK 56

Im running the following server if that matters:

HTTPD 2.2.15-30.el6.centos

Parallels Plesk Panel v11.5.30_build115130819.13 os_CentOS 6
0
Comment
Question by:NeilT
  • 2
  • 2
4 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40023455
That depends on if you are running mod_ssl or mod_gnutls

assuming mod_ssl (and you HAVE checked you are now running 1.0.1g yes?) then the key line is in the ssl.conf file, and starts with "SSLCypherSuite" - now, you need to remove LOW from that list, but it may not be present -  you can use "ALL" in place of "HIGH:MEDIUM:LOW" for the obvious reason, so if you have "ALL" in that list, replace it with "HIGH:MEDIUM", restart the httpd and test again :)
0
 
LVL 3

Author Comment

by:NeilT
ID: 40023522
Thanks Dave

Its running mod_ssl and 1.0.1f  compiled with -DOPENSSL_NO_HEARTBEATS, ive no idea how to  upgrade it although I do have SSH access

Just trying to find out where the ssl.conf file is. im a windows boy so finding it on Linux is weird for me :)
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40023596
well, on 'buntu its in /etc/apache2/mods-enabled but on centos, I am not sure.
I would try a command prompt in /etc/apache and
grep SSLCipherSuite * */*

Open in new window

then see if it pops up :)

actual detail page is here for this directive, - you can also it seems add "!LOW" to the list to force disabling 40 bit ciphers.
0
 
LVL 3

Author Closing Comment

by:NeilT
ID: 40024903
Many thanks  Dave
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
phpPgAdmin problem 14 87
SSL sertificate 5 58
ADFS SSL Clarification 4 55
Http hosting redirect issue 2 39
Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now