I can't figure out how to disable insecure cipher suites in openssl and Apache.
I've been messing around with the configuration and using ssllabs to test the results, but nothing I change seems to make any difference.
My current relevant item in the ssl.conf file are:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLabs reports among others, the following problem:
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE
I found a site that converts RFC names to openssl names, and that's where I got the RC4-MD5... items. That protocol should be disabled by the !RC4-SHA directive but it's not.
As you can see I've asked apache not to accept TLSv1 and a couple of RSA ciphers. I always restart the httpd service between tests, but I still get the same results. I'm not sure what I'm missing.