remove some SSL certificate cipher suites

Posted on 2014-04-25
Last Modified: 2014-04-26

I've run a scan of my server to check the SSL and these have come up with a low score (I guess they should be no longer used? )

How can I amend Apache to not allow these settings? Is this even possible?

Please do not just point to information, I'm altering this on a live server so need whatever I do to work first time. :)

Here's the scan URL as the results probably mean more to you guys than they do me :

Kind regards

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK 40
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK 56

Im running the following server if that matters:

HTTPD 2.2.15-30.el6.centos

Parallels Plesk Panel v11.5.30_build115130819.13 os_CentOS 6
Question by:Neil Thompson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 33

Expert Comment

by:Dave Howe
ID: 40023455
That depends on if you are running mod_ssl or mod_gnutls

assuming mod_ssl (and you HAVE checked you are now running 1.0.1g yes?) then the key line is in the ssl.conf file, and starts with "SSLCypherSuite" - now, you need to remove LOW from that list, but it may not be present -  you can use "ALL" in place of "HIGH:MEDIUM:LOW" for the obvious reason, so if you have "ALL" in that list, replace it with "HIGH:MEDIUM", restart the httpd and test again :)

Author Comment

by:Neil Thompson
ID: 40023522
Thanks Dave

Its running mod_ssl and 1.0.1f  compiled with -DOPENSSL_NO_HEARTBEATS, ive no idea how to  upgrade it although I do have SSH access

Just trying to find out where the ssl.conf file is. im a windows boy so finding it on Linux is weird for me :)
LVL 33

Accepted Solution

Dave Howe earned 500 total points
ID: 40023596
well, on 'buntu its in /etc/apache2/mods-enabled but on centos, I am not sure.
I would try a command prompt in /etc/apache and
grep SSLCipherSuite * */*

Open in new window

then see if it pops up :)

actual detail page is here for this directive, - you can also it seems add "!LOW" to the list to force disabling 40 bit ciphers.

Author Closing Comment

by:Neil Thompson
ID: 40024903
Many thanks  Dave

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : All lightning effects with instructions : http://www.mediaf…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question