I have been doing Network Scan for our box and Ncircle reported SSL Server support RC4 ciphers for SSLv3. Based on that I did a search and I plan to add to /etc/apache/conf.d/security
the following:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
So if I understand well, the sign !
is a negation like in a programming language then my rules shoul be the following:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
I kept on reading the report and There were complain about support for CBC and weak MAC
I searched on and I found 2 blogs hynek.me and raymii.org. I am a little bit confuse. Which directive are recent address my current issues.
A little enlightenment is needed for me to pluck this. Thank you
EDIT:
After much trouble and reading. I have come up with this:
ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT
I have checked with
openssl ciphers -V 'ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT' | grep CBC
openssl ciphers -V 'ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT' | grep RC4
I am not sure whether this is good enough. I suspect some browsers might have compatibility issues with that.