Doug Poulin
asked on
Need help turning off insecure protocols
I can't figure out how to disable insecure cipher suites in openssl and Apache.
I've been messing around with the configuration and using ssllabs to test the results, but nothing I change seems to make any difference.
My current relevant item in the ssl.conf file are:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite !aNULL:!MD5:!SEED:!IDEA:!R C4-MD5:!RC 4-SHA:!ECD HE-RSA-RC4 -SHA:HIGH
SSLabs reports among others, the following problem:
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE
I found a site that converts RFC names to openssl names, and that's where I got the RC4-MD5... items. That protocol should be disabled by the !RC4-SHA directive but it's not.
As you can see I've asked apache not to accept TLSv1 and a couple of RSA ciphers. I always restart the httpd service between tests, but I still get the same results. I'm not sure what I'm missing.
I've been messing around with the configuration and using ssllabs to test the results, but nothing I change seems to make any difference.
My current relevant item in the ssl.conf file are:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite !aNULL:!MD5:!SEED:!IDEA:!R
SSLabs reports among others, the following problem:
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE
I found a site that converts RFC names to openssl names, and that's where I got the RC4-MD5... items. That protocol should be disabled by the !RC4-SHA directive but it's not.
As you can see I've asked apache not to accept TLSv1 and a couple of RSA ciphers. I always restart the httpd service between tests, but I still get the same results. I'm not sure what I'm missing.
ASKER
I copied and pasted your suggestion and re-ran the scan but there are still some protocols that need attention.
they are:
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE
128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE
128
TLS_RSA_WITH_IDEA_CBC_SHA (0x7) WEAK
128
TLS_ECDHE_RSA_WITH_RC4_128 _SHA (0xc011) ECDH secp521r1 (eq. 15360 bits RSA) FS INSECURE
Also I want to understand the shorthand better. I know that a + right after a colon means add and a ! means not.
Are the plus signs in the middle just a wildcard?
So ECDH+AESGCM is any cipher that starts with ECDH and ends in AESGCM.
128
they are:
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE
128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE
128
TLS_RSA_WITH_IDEA_CBC_SHA (0x7) WEAK
128
TLS_ECDHE_RSA_WITH_RC4_128
Also I want to understand the shorthand better. I know that a + right after a colon means add and a ! means not.
Are the plus signs in the middle just a wildcard?
So ECDH+AESGCM is any cipher that starts with ECDH and ends in AESGCM.
128
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok people, I finally figured it out. We have a number of virtual servers that use openSSL. None of them have an SSLCipherSuite directive in them. I assumed that the global directives would be taken as the default if nothing was specified, however, that's totally not the case. You have to put the directive in every virtual server definition otherwise you get whatever the modSSL supports.
I'm surprised in all of the documentation that I've read, nobody ever mentioned that this was a possible pitfall. So I'm recording it here for the next unsuspecting sysadmin so they don't spend hours and hours trying to make this all work.
I'm surprised in all of the documentation that I've read, nobody ever mentioned that this was a possible pitfall. So I'm recording it here for the next unsuspecting sysadmin so they don't spend hours and hours trying to make this all work.
ASKER
Please read my last comment in the thread
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
Let say
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH