Need help turning off insecure protocols

Doug Poulin
Doug Poulin used Ask the Experts™
on
I can't figure out how to disable insecure cipher suites in openssl and Apache.

I've been messing around with the configuration and using ssllabs to test the results, but nothing I change seems to make any difference.
My current relevant item in the ssl.conf file are:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite !aNULL:!MD5:!SEED:!IDEA:!RC4-MD5:!RC4-SHA:!ECDHE-RSA-RC4-SHA:HIGH

SSLabs reports among others, the following problem:
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE
 
I found a site that converts RFC names to openssl names, and that's where I got the RC4-MD5... items. That protocol should be disabled by the !RC4-SHA directive but it's not.

As you can see I've asked apache not to accept TLSv1 and a couple of RSA ciphers.  I always restart the httpd service between tests, but I still get the same results.  I'm not sure what I'm missing.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

Commented:
May want to be more explicit in the SSLCipherSuite specification in the Apache Directives allowed.

https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html

Let say

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Author

Commented:
I copied and pasted your suggestion and re-ran the scan but there are still some protocols that need attention.

they are:
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE
128
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE
128
TLS_RSA_WITH_IDEA_CBC_SHA (0x7)   WEAK
128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   INSECURE

Also I want to understand the shorthand better.  I know that a + right after a colon means add and a ! means not.

Are the plus signs in the middle just a wildcard?
So ECDH+AESGCM is any cipher that starts with ECDH and ends in AESGCM.


128
Exec Consultant
Distinguished Expert 2018
Commented:
Looks like RC4 is still enabled in your case. To disable some cipher suites with RC4, then add exclamation mark in front of cipher suite, so in your case !RC4
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite

The + is just to state the matching cipher to include those with the combination.

For the available prefixes are:
none: add cipher to list
+: move matching ciphers to the current location in list
-: remove cipher from list (can be added later again)
!: kill cipher from list completely (can not be added later again).

Also once you have the SSLCipherSuite directive entered, save the file and restart Apache so that the new setting is loaded to finish the disabling weak ciphers.

Author

Commented:
Ok people, I finally figured it out.  We have a number of virtual servers that use openSSL.  None of them have an SSLCipherSuite directive in them.  I assumed that the global directives would be taken as the default if nothing was specified, however, that's totally not the case.  You have to put the directive in every virtual server definition otherwise you get whatever the modSSL supports.


I'm surprised in all of the documentation that I've read, nobody ever mentioned that this was a possible pitfall.  So I'm recording it here for the next unsuspecting sysadmin so they don't spend hours and hours trying to make this all work.

Author

Commented:
Please read my last comment in the thread

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial