Disabling RC4 ciphering in Apache 2.4 vhost and still available

1

0

In Apache 2.4, my vhost include the following :

SSLCertificateFile /etc/letsencrypt/live/qualification.teamagora.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/qualification.teamagora.com/privkey.pem
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          HIGH:MEDIUM
SSLHonorCipherOrder     on
SSLCompression          off

which should deactivates RC4 ciphering...

Neverthelless, SSLLabs shows that the following ciphering is available !

TLS_RSA_WITH_RC4_128_MD5 (0x4)           INSECURE   128
TLS_RSA_WITH_RC4_128_SHA (0x5)           INSECURE   128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)  INSECURE   128

Where can I deactivate RC4 completely ?

Why is the vhost configuration file not taken into account (I did service apache2 restart)

Stéphane V

Posted 2017-08-30T13:51:51.093

Reputation: 61

It's not nice to start a bounty and then abandon it. – harrymc – 2017-09-10T09:38:21.270

Answers

4

Your SSLCipherSuite does not disable RC4. It should look more like :

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4:+HIGH:+MEDIUM:+LOW

You should follow Recommended configurations from Mozilla, since a secure TLS configuration is more than disabling RC4. You will find in the article a link to the Mozilla SSL Configuration Generator that makes it easy to configure proper cipher suites per server and browser types.

harrymc

Posted 2017-08-30T13:51:51.093

Reputation: 306 093

Asked: 2017-08-30T13:51:51.093

Viewed: 1 716 times

Active: 2017-09-04T07:40:59.167