Link to home
Start Free TrialLog in
Avatar of forr tan
forr tan

asked on

Need remove last 2 weak ciphers. Apache on solaris need correct sslciphersuite line

Need to get rid of  these last 2 weak ciphers.  Apache on solaris

cipher check failure :

TLSv1.1:

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

sslciphersuite line:

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128
-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-
SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:
!3DES:!MD5:!PSK:!CBC

sslprotocol:


SSLProtocol all -SSLv3 -TLSv1 -TLSv1.2
Avatar of Dr. Klahn
Dr. Klahn
See the articles on this topic at:

https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html

and

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslproxyciphersuite

A simpler way to look at all of this is to use the "openssl ciphers -v'' command which provides a nice way to successively create the correct cipher-spec string. The default cipher-spec string is ``ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'' which means the following: first, remove from consideration any ciphers that do not authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next, use ciphers using RC4 and RSA. Next include the high, medium and then the low security ciphers. Finally pull all SSLv2 and export ciphers to the end of the list.
Avatar of serialband
serialband
Flag of Ukraine image
Rather than following the instructions above and using

SSLProtocol all -SSLv2 -SSLv3
SSLProtocol all  expands to all the protocols that you have to subtract.

Even TLSv1.2 is already 9 years old and the others are even older.  Just use the following and get rid of all the older versions and save some typing:
SSLProtocol TLSv1.2
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.