6

Our PCI scanners just informed us that we have BEAST (Browser Exploit Against SSL/TLS) Vulnerability

Apparently, the remediation is as follows:

Affected users should disable all block-based cipher suites in the server's SSL configuration and only support RC4 ciphers, which are not vulnerable to fully address this vulnerability. This vulnerability was addressed in TLS version 1.1/1.2, however, support for these newer TLS versions is not widely supported at the time of this writing, making it difficult to disable earlier versions. Additionally, affected users can also configure SSL to prefer RC4 ciphers over block-based ciphers to limit, but not eliminate, exposure

So, basically, we have to only (or at least prioritize) support for RC4 ciphers.

How do we actually go about doing this on an existing certificate?

EDIT: forgot to add that this is an Apache (centos) server

JonoB
  • 163
  • 1
  • 4
  • If I remember correctly, this isn't done via the certificate; you have to do it via your SSL module configuration. – Polynomial Dec 01 '12 at 22:36
  • 2
    RC4 ciphers are now demonstrably broken http://www.isg.rhul.ac.uk/tls/ Refer to the countermeasures listed in the link for suggestions. – lmingle Mar 19 '13 at 18:49

2 Answers2

4

The cipher suite is (mostly) orthogonal to the certificate. The RC4-based cipher suites are:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

Both require a certificate with a RSA key, and "suitable for encryption" (that is, a certificate which has not been marked as signature-only). There is high probability that your certificate is already fine for that. Beyond that, the certificate is not related to the choice of symmetric encryption algorithm.

The configuration of cipher suites employed by your server depends on the server type. If your server is IIS, see this previous question which describes how it is done.

Apparently, there was an old draft from a decade ago, which defined three additional RC4-based cipher suites:

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_WITH_RC4_128_SHA

The first two use a key of only 56 bits, which is not enough for serious security (although it may deter some low-power amateurs); these were defined in order to comply with the US export rules which were briefly in force at that time. The third cipher suite provides the only way to use RC4 with a large enough key, when your server asymmetric key has type DSS; it also enables Perfect Forward Secrecy, which is neat.

These suites are not standard (they are not in the IANA registry) but some browsers use them, in particular Internet Explorer. I suppose IIS can be made to support them.

(Certificates with DSS keys are pretty rare nowadays.)

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

This is done on webserver level, if you are using apache you can configure 

SSLCipherSuite RC4-SHA

Also refer to serverfault.

Community
  • 1
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196