0
STILL A NEWBIE TO UBUNTU , please excuse if its a silly one . I posted this question on Askubuntu but someone suggested to post it here on superuser.com
I was asked to stop supporting TLS1.0 ciphers. Googled and found out that adding below line to ssl.conf can remove TLS1.0 from httpd :
SSLProtocol all -TLSv1
There is a "sslscan" on kali linux which I am using to scan the ip with port 443 to list the supported ciphers by that ip.
Now , before removing the TLS1.0 cipher SSLSCAN worked properly and gave proper results as below :
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.0 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.0 112 bits DES-CBC3-SHA
Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.1 112 bits DES-CBC3-SHA
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred Server Cipher(s):
TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
SSL Certificate:
"SSL Certificate details , I think is confidential to my organization so not sharing it"
After REMOVING TLS1.0 CIPHERS SSLSCAN results are below:
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
Accepted TLSv1.1 112 bits DES-CBC3-SHA
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred Server Cipher(s):
TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Failed to connect to get certificate.
Why after removing the TLS1.0 ciphers , sslscan is not able to connect to get certificates ? Am I removing TLS1.0 wrongly ? If yes , what is the correct way of disabling/removing TLS1.0 ciphers ? Or is it normal ? Does sslscan uses only TLS1.0 to scan the ip with port 443 which I had disabled i.e y it is failing to get certificate ?
Incase if somebody wants to have a look on this question on Askubuntu , here is the link : https://askubuntu.com/questions/819568/sslscan-not-getting-executed-properly-after-removing-tls1-0
Yash Khare
Posted 2016-09-02T07:16:30.333
Reputation: 1
Don't confuse protocols and ciphers. For example, the TLS 1.0 and TLS 1.1 protocols use mostly the same ciphers. Your
SSLProtocolis the correct approach, but I think you might need-TLSv1.0instead? Just a guess. – user1686 – 2016-09-02T07:20:11.620So you meen to say that ... by above method i am restricting TLS1.0 ciphers as well as TLS1.1 ciphers ? Coz both of them use almost same set of ciphers and I am restricting the protocol itself ? And for restricting TLS1.0 ciphers only i need to use somewhat like " SSLProtocol all -TLSv1.0 " as I only need to restrict TLS1.0 ciphers or it is not possible at all to restrict only TLS1.0 ciphers somehow and allow TLS1.1? Please excuse if that as an obvious thing or i misunderstood it. – Yash Khare – 2016-09-04T13:50:16.730
You do not want to restrict ciphers. You want to restrict protocols. – user1686 – 2016-09-04T15:18:20.117
@grawity : Okay , for restricting protocol TLS1.0 "-TLSv1" should be used i think. Followed below link : https://httpd.apache.org/docs/current/mod/mod_ssl.html .But after restricting it SSLSCAN is failing to connect to get the certificate , is it normal ?
– Yash Khare – 2016-09-07T06:23:46.673