remove some SSL certificate cipher suites

Posted on 2014-04-25
Last Modified: 2014-04-26

I've run a scan of my server to check the SSL and these have come up with a low score (I guess they should be no longer used? )

How can I amend Apache to not allow these settings? Is this even possible?

Please do not just point to information, I'm altering this on a live server so need whatever I do to work first time. :)

Here's the scan URL as the results probably mean more to you guys than they do me :

Kind regards

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK 40
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK 56

Im running the following server if that matters:

HTTPD 2.2.15-30.el6.centos

Parallels Plesk Panel v11.5.30_build115130819.13 os_CentOS 6
Question by:Neil Thompson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 33

Expert Comment

by:Dave Howe
ID: 40023455
That depends on if you are running mod_ssl or mod_gnutls

assuming mod_ssl (and you HAVE checked you are now running 1.0.1g yes?) then the key line is in the ssl.conf file, and starts with "SSLCypherSuite" - now, you need to remove LOW from that list, but it may not be present -  you can use "ALL" in place of "HIGH:MEDIUM:LOW" for the obvious reason, so if you have "ALL" in that list, replace it with "HIGH:MEDIUM", restart the httpd and test again :)

Author Comment

by:Neil Thompson
ID: 40023522
Thanks Dave

Its running mod_ssl and 1.0.1f  compiled with -DOPENSSL_NO_HEARTBEATS, ive no idea how to  upgrade it although I do have SSH access

Just trying to find out where the ssl.conf file is. im a windows boy so finding it on Linux is weird for me :)
LVL 33

Accepted Solution

Dave Howe earned 500 total points
ID: 40023596
well, on 'buntu its in /etc/apache2/mods-enabled but on centos, I am not sure.
I would try a command prompt in /etc/apache and
grep SSLCipherSuite * */*

Open in new window

then see if it pops up :)

actual detail page is here for this directive, - you can also it seems add "!LOW" to the list to force disabling 40 bit ciphers.

Author Closing Comment

by:Neil Thompson
ID: 40024903
Many thanks  Dave

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question