CVE-2014-0224 requires an update of openssl.
RC4 cipher is used with TLS 1.1 or newer protocols, even though
stronger ciphers are available.
and
The server does not support Forward Secrecy with the reference browsers.
are mere webserver configuration issues.
Something like this (assuming an apache):
SSLCertificateFile server.crt
SSLCertificateKeyFile server.key
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
# Add six earth month HSTS header for all users...
Header add Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: max-age=15768000 ; includeSubDomains
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRS
A+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LO
W:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA
128-SHA:AES128-SHA'
is recommended by https://bettercrypto.org / Applied Crypto Hardening.
Usage of HTTP Strict Transport Security (hsts) should be carefully judged, as it may break things, and drastically increase server load. From the security point of view, it is recommended.
Your certificate probably is fine, but if it has been used with a heartbleed exploitable version of openssl, you do have to replace it (it might be compromised).
However, upgrading openssl and configuring the webserver will require superuser privileges. If you are using shared hosting, theres nothing you can do beside asking the hosting company to fix it. And they, probably won't give a damn.
What kind of server is this? VPS? Shared hosting? Ubuntu? CentOS? – Paul – 2014-06-29T20:43:56.730
@Paul Shared hosting, Centos 6 - 64bit. – mpen – 2014-06-29T20:49:06.033
1Assuming you don't have root access, contact your ISP and have them fix it, or switch ISPs. – Paul – 2014-06-29T20:50:39.750
@Paul ISP? You mean hosting provider? "ISP" is who I buy my home internet connection from. – mpen – 2014-06-29T20:51:20.393
https://en.wikipedia.org/wiki/Internet_Service_Provider – Paul – 2014-06-29T20:54:12.357
2@Paul Didn't know ISP included "Hosting ISPs", thought it specifically meant "Access providers". Fair enough. – mpen – 2014-06-29T23:46:51.757