[SOLVED] Please help me disable weak ciphers

Issues related to applications and software problems
Post Reply
neodaemon
Posts: 5
Joined: 2005/10/13 23:43:05

[SOLVED] Please help me disable weak ciphers

Post by neodaemon » 2013/10/17 00:14:09

Centos 6.4 32-bit
Apache 2.2
PHP 5.3
mod_ssl.i686 1:2.2.15-29.el6.centos
openssl.i686 1.0.0-27.el6_4.2
openssl098e.i686 0.9.8e-17.el6.centos.2

I have been reading articles for the past few days on disabling weak ciphers for SSL-enabled websites. Every article I read is basically the same: open your ssl.conf and make the following changes:
[code]
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
[/code]

...then restart your HTTPD service.

I do this, but it makes no difference. Using Qualys SSL Labs, I get the following results on my SSL scan:
[code]
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK 40
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 56
...
[/code]

The ciphers shown above are the ones I need to eliminate for PCI compliance.
I have many others enabled, and they show up too, but are ok:

[code]
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 168
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
[/code]

It's almost like my website is ignoring my ssl.conf file. I have rebooted, still no changes.
Can someone please help me disable weak and mediaum ciphers?

neodaemon
Posts: 5
Joined: 2005/10/13 23:43:05

Re: Please help me disable weak ciphers

Post by neodaemon » 2013/10/17 07:45:40

I solved my own problem. Figures - after I post my question.
For anyone having issues with this - hopefully this will help them:

I can't be sure if this is specific to my distro - or specific to my application versions - or what.

When you are using "virtual hosts" configured in your httpd.conf, even if they are IP-based virtual hosts, their directives seem to overwrite the respective SSL cipher-related directives declared in your ssl.conf file. So even though you are declaring what ciphers to use and what ciphers to disregard in your ssl.conf - you may need to declare this in your virtual hosts directives in your httpd.conf as well.

I did this and BAM! it worked like a charm. "A" rating now on the cipher scan from Qualys SSL Labs.

Peace,

tigalch
QA Team
Posts: 522
Joined: 2012/06/23 17:28:41
Location: Austria

[SOLVED] Re: Please help me disable weak ciphers

Post by tigalch » 2013/10/17 15:52:37

Moderator: one for the SOLVED department

alexm
Posts: 32
Joined: 2012/06/04 21:04:55

Re: [SOLVED] Please help me disable weak ciphers

Post by alexm » 2019/07/19 13:24:03

Just wanted to add to this post, that the ssl.conf configuration here should not be used. SSLv3 is no longer considered secure, and will reward you with an "F" rating at ssllabs.com, for one thing.

This will be an ongoing issue, as vulnerabilities will continue to be found, so I am not going to add today's solution, as it may be outdated by tomorrow.

The base idea (that a virtual config may override the base config) is still valid.

Post Reply

Return to “CentOS 6 - Software Support”