8

I have been doing Network Scan for our box and Ncircle reported SSL Server support RC4 ciphers for SSLv3. Based on that I did a search and I plan to add to /etc/apache/conf.d/security the following:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

So if I understand well, the sign ! is a negation like in a programming language then my rules shoul be the following:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

I kept on reading the report and There were complain about support for CBC and weak MAC

I searched on and I found 2 blogs hynek.me and raymii.org. I am a little bit confuse. Which directive are recent address my current issues.

A little enlightenment is needed for me to pluck this. Thank you

EDIT:

After much trouble and reading. I have come up with this:

ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT

I have checked with 

openssl ciphers -V 'ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT' | grep CBC

openssl ciphers -V 'ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT' | grep RC4

I am not sure whether this is good enough. I suspect some browsers might have compatibility issues with that.

black sensei
  • 233
  • 1
  • 2
  • 8

1 Answers1

7

There are still some RC4 ciphers in your list. To check which ciphers are offered by the server enter your list into 'openssl ciphers -V', i.e.

  $ openssl ciphers -V 'ALL:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT' | grep RC4
      0xC0,0x11 - ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
      0xC0,0x07 - ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
      0xC0,0x16 - AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
      0xC0,0x0C - ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
      0xC0,0x02 - ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
      0x00,0x8A - PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1

A good source for how to configure your server correctly is ssllabs.com. For examples of useful cipher settings see https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Hello Thanks for your suggestion. the requirement of the post on Qualys is apache 2.4 . I am running apache 2.2.22(ubuntu 12.04). Commands on Qualys and hynek.me are similar so I used the capital v switch like in your command: openssl ciphers -V 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' | grep RC4 – black sensei Sep 27 '14 at 14:28
  • How to I check disabling of CBC? – black sensei Sep 27 '14 at 14:29
  • replace the `grep RC4` with `grep CBC` – Steffen Ullrich Sep 27 '14 at 15:32
  • I have made some updates. But doubting whether that is fine – black sensei Sep 27 '14 at 18:36
  • Check you site against https://www.ssllabs.com/ssltest/analyze.html. It will tell you if common browsers will have problems with the ciphers. Since you neither have 3DES nor RC4 I'm sure that IE8 will not work. – Steffen Ullrich Sep 27 '14 at 18:52