• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1108
  • Last Modified:

remove some SSL certificate cipher suites

Hi

I've run a scan of my server to check the SSL and these have come up with a low score (I guess they should be no longer used? )

How can I amend Apache to not allow these settings? Is this even possible?

Please do not just point to information, I'm altering this on a live server so need whatever I do to work first time. :)

Here's the scan URL as the results probably mean more to you guys than they do me : https://www.ssllabs.com/ssltest/analyze.html?d=madcafe.co.uk&hideResults=on

Kind regards
Neil

TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK 40
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK 56

Im running the following server if that matters:

HTTPD 2.2.15-30.el6.centos

Parallels Plesk Panel v11.5.30_build115130819.13 os_CentOS 6
0
Neil Thompson
Asked:
Neil Thompson
  • 2
  • 2
1 Solution
 
Dave HoweSoftware and Hardware EngineerCommented:
That depends on if you are running mod_ssl or mod_gnutls

assuming mod_ssl (and you HAVE checked you are now running 1.0.1g yes?) then the key line is in the ssl.conf file, and starts with "SSLCypherSuite" - now, you need to remove LOW from that list, but it may not be present -  you can use "ALL" in place of "HIGH:MEDIUM:LOW" for the obvious reason, so if you have "ALL" in that list, replace it with "HIGH:MEDIUM", restart the httpd and test again :)
0
 
Neil ThompsonSenior Systems DeveloperAuthor Commented:
Thanks Dave

Its running mod_ssl and 1.0.1f  compiled with -DOPENSSL_NO_HEARTBEATS, ive no idea how to  upgrade it although I do have SSH access

Just trying to find out where the ssl.conf file is. im a windows boy so finding it on Linux is weird for me :)
0
 
Dave HoweSoftware and Hardware EngineerCommented:
well, on 'buntu its in /etc/apache2/mods-enabled but on centos, I am not sure.
I would try a command prompt in /etc/apache and
grep SSLCipherSuite * */*

Open in new window

then see if it pops up :)

actual detail page is here for this directive, - you can also it seems add "!LOW" to the list to force disabling 40 bit ciphers.
0
 
Neil ThompsonSenior Systems DeveloperAuthor Commented:
Many thanks  Dave
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now