3

Can anyone help me determine hat could be the reason I am still getting VA gaps from scanner for the following? My server hosts multiple web app, but I am using the same settings for all virtual hosts.

20007 - SSL Version 2 and 3 Protocol Detection

NOTE: SSLEngine and SSLHonorCipherOrder are both tuned on.

This is for the protocols. All is disabled and only TLS versions 1.1 ans 1.2 are enabled, however, scanner still detects SSL v3

SSLProtocol -All +TLSv1.1 +TLSv1.2

I have also tried this way:

SSLProtocol all -SSLv2 -SSLv3

I have tried testing the following: openssl s_client -connect localhost:443 -ssl2 -> failure handshake (which is OK) openssl s_client -connect localhost:443 -ssl3 -> this works, and not shure why because this has been disabled for all vHosts (settings is like the one above)

===============

The other 2 vulnerabilities:

42873 - SSL Medium Strength Cipher Suites Supported Here is the list of medium strength SSL ciphers supported by the remote server : EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

65821 - SSL RC4 Cipher Suites Supported (Bar Mitzvah) List of RC4 cipher suites supported by the remote server : ECDHE-RSA-RC4-SHA Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

This is the CipherSuite. I have marked bold all the ciphers found in the scanner, and all of them have been disabled on my config, however they still appear during scan:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 !EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH-RSA-DES-CBC3-SHA !ECDHE-RSA-DES-CBC3-SHA !DES-CBC3-SHA !ECDHE-RSA-RC4-SHA !RC4-MD5 !RC4-SHA"

NOTE: Change log for the httpd version I have does not include the CVEs for the mentioned gaps as per checking. I am also aware that httpd needs to be restarted after each config change.

Please advise if any of you have suggestions, I might be missing something. Thanks.

Chyornaya Vdova
  • 94
  • 2
  • 2
  • 7

2 Answers2

3

apologies for the trouble. My team mate has discovered the following lines should also be updated in /etc/httpd/conf.d/ssl.conf:

SSLProtocol -all -TLSv1 +TLSv1.1 +TLSv1.2 -SSLv3

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 !EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH-RSA-DES-CBC3-SHA !ECDHE-RSA-DES-CBC3-SHA !DES-CBC3-SHA !ECDHE-RSA-RC4-SHA !RC4-MD5 !RC4-SHA"

Once updated, it cleared the security scan result.

Chyornaya Vdova
  • 94
  • 2
  • 2
  • 7
1

Refer the apache doc, this is the correct documentation that will make A+ rating in apache centos server.

https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

Refer the section "How can I create an SSL server which accepts strong encryption only?"

# "Modern" configuration, defined by the Mozilla Foundation's SSL Configuration
# Generator as of August 2016. This tool is available at
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
# Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
# require OpenSSL 1.1.0, which as of this writing was in pre-release.
SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression      off
SSLSessionTickets   off
nisamudeen97
  • 111
  • 4