I’ve been searching and testing for a couple of days now and have run out of things to try. Here’s my problem. I have an Apache Lounge 2.4.18 (Win32) VC14 web server running on a Microsoft Windows 2008 R2 server using OpenSSL 1.0.2g. Our corporate security team scanned my server and detected that RC4 is being utilized. (They used Nexpose from Rapid7). They recommended configuring the server to disable support for RC4 ciphers and suggested using the cipher configuration shown below. They also recommended not using TLSv1 and only using TLSv1.1 and TLSv1.2. I also ran SSLScan to duplicate the results and can see “TLSv1 128 bits RC4-SHA” was accepted.
No problem I thought and changed my httpd.conf file as shown below then restarted the Apache2.4 service. I then had them re-scan the server and they received the same results. I’ve searched the entire server looking for files that contain “SSLCipherSuite” or “SSLProtocol” and deleted or renamed them all except \Apache24\conf\httpd.conf. I do have an \Apache24\conf\openssl.cnf file but I don’t think it does anything because it’s still the default file that comes with Apache. I also did a massive cleanup and deleted all the old versions of Apache, OpenSSL, and PHP. I upgraded Apache and OpenSSL from Apache 2.2 and OpenSSL 0.9.x about 3 weeks ago and have been running without problems. I don’t have any startup errors in the error.log or windows event viewer.
Is there somewhere else Apache/OpenSSL determines the protocols or cipher suites?
Is there a default somewhere that would ignore my SSL related directives?
Contents of my httpd.conf file (“MYDOMAIN” obviously isn’t my actual domain name):
<VirtualHost *:80>
DocumentRoot "C:/Apache24/htdocs"
ServerName www.MYDOMAIN.com
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/Apache24/htdocs_apps"
ServerName apps.MYDOMAIN.com
SSLEngine on
SSLCertificateFile "C:/Apache24/certs/233afff052190aeb.crt"
SSLCertificateKeyFile "C:/Apache24/certs/star_MYDOMAIN_com.key"
# SSLCertificateChainFile "C:/Apache24/certs/gd_bundle-g2-g1.crt"
SSLProtocol -ALL +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSAAES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSAAES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
<Location / >
Options -ExecCGI -FollowSymLinks -Indexes
Require all granted
</Location>
</VirtualHost>
Any help is greatly appreciated.
Best Answer
As to the openssl.conf, does it have an SSLCipherSuite directive in it and, if so, is it commented out? There may be a "merge" issue.
Looking at your SSLCipherSuite directive, I see the following issues (which may or may not be part of the problem here):
Typos:
TLSv1.0 protocols:
In any case, I use:
with
and pull an A+ rating out of Qualys SSL Labs' SSL Server Test (including verification of no RC4).
NOTE: Although some people are dropping TLSv1.0, you might have trouble with a fair number of browsers, possibly including Android 5.0.0 and back, IE 8-10 on Win 7, IE 10 on Win Phone 8.0, Safari 5.1.9 on OS X 10.6.8, and Safari 6.0.4 on OS X 10.8.4