I'm trying to disable RC4 ciphers by using this configuration on apache:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
But Qualys SSLTest is still saying that I'm using RC4, even though there is this !RC4
flag.
I've tried this too:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
I'm using Apache 2.4 and OpenSSL 1.0.1j
Thanks
Best Answer
Try this:
Changes:
EECDH+aRSA+RC4
become!EECDH+aRSA+RC4
RC4
Restart web server, clear cache in Qualys SSLTest.