Solved

remove some SSL certificate cipher suites

Posted on 2014-04-25
4
1,037 Views
Last Modified: 2014-04-26
Hi

I've run a scan of my server to check the SSL and these have come up with a low score (I guess they should be no longer used? )

How can I amend Apache to not allow these settings? Is this even possible?

Please do not just point to information, I'm altering this on a live server so need whatever I do to work first time. :)

Here's the scan URL as the results probably mean more to you guys than they do me : https://www.ssllabs.com/ssltest/analyze.html?d=madcafe.co.uk&hideResults=on

Kind regards
Neil

TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK 40
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK 56

Im running the following server if that matters:

HTTPD 2.2.15-30.el6.centos

Parallels Plesk Panel v11.5.30_build115130819.13 os_CentOS 6
0
Comment
Question by:Neil Thompson
  • 2
  • 2
4 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40023455
That depends on if you are running mod_ssl or mod_gnutls

assuming mod_ssl (and you HAVE checked you are now running 1.0.1g yes?) then the key line is in the ssl.conf file, and starts with "SSLCypherSuite" - now, you need to remove LOW from that list, but it may not be present -  you can use "ALL" in place of "HIGH:MEDIUM:LOW" for the obvious reason, so if you have "ALL" in that list, replace it with "HIGH:MEDIUM", restart the httpd and test again :)
0
 
LVL 3

Author Comment

by:Neil Thompson
ID: 40023522
Thanks Dave

Its running mod_ssl and 1.0.1f  compiled with -DOPENSSL_NO_HEARTBEATS, ive no idea how to  upgrade it although I do have SSH access

Just trying to find out where the ssl.conf file is. im a windows boy so finding it on Linux is weird for me :)
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40023596
well, on 'buntu its in /etc/apache2/mods-enabled but on centos, I am not sure.
I would try a command prompt in /etc/apache and
grep SSLCipherSuite * */*

Open in new window

then see if it pops up :)

actual detail page is here for this directive, - you can also it seems add "!LOW" to the list to force disabling 40 bit ciphers.
0
 
LVL 3

Author Closing Comment

by:Neil Thompson
ID: 40024903
Many thanks  Dave
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question