Linux – Disabling anonymous ciphers in Apache not working

apache-2.2linuxopensslSecurityssl

We have an Apache 2.2.3 server with OpenSSL 0.9.8e-fips-rhel5. I am running the following SSL configuration in my VirtualHost. I can't find any other config files with any SSL directives whatsoever.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite CDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

However, I'm still failing the SslLabs scan with the following message:

This server supports anonymous (insecure) suites

Why is it still failing if I'm only using strong ciphers and can't find any overriding configuration anywhere?

Best Answer

openssl ciphers -v with the cipher string will show the list.

You don't disable null encryption with !eNULL. OpenSSL does not enable it even in ALL but might as well make turning it off explicit.

Check for any config files containing SSL. And confirm it is httpd listening on that port.

You can get a second opinion with a local SSL/TLS scan script. There are a couple good ones that show exactly which ciphers they use.

Strong ciphers is relative. OpenSSL 0.9.8 can't really do TLS 1.1 or 1.2 so it isn't going to provide modern security (or score well in SSLLabs).

Related Solutions

Ssl – Apache SSL not working

mod_ssl.so is making a a request for the symbol ap_set_deprecated which is not available with the 1.3 but with 2.0 (I just downloaded the sources and checked).

You'll need to rebuild mod_ssl.so. Download the sources here : http://www.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz . This doesn't make any calls to ap_set_deprecated. (I checked this too).

-- Ram

SSL user authentication not working in Apache

Solved it. turns out it was a permissions problem:

I have set up a similar setting on a clean Debian Squeeze machine and it worked right from the start. The difference in debug output was:

[debug] ssl_engine_kernel.c(1321): [client 80.252.98.156] Certificate Verification: depth: 2, subject: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA 
[debug] ssl_engine_kernel.c(1321): [client 80.252.98.156] Certificate Verification: depth: 1, subject: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
[debug] ssl_engine_kernel.c(1321): [client 80.252.98.156] Certificate Verification: depth: 0, subject: /CN=kettensaege@massaker.de/emailAddress=kettensaege@massaker.de, issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2

on the 'good' side, vs:

[debug] ssl_engine_kernel.c(1321): [client 80.252.98.156] Certificate Verification: depth: 1, subject: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
[error] [client 80.252.98.156] Certificate Verification: Error (20): unable to get local issuer certificate

on the 'bad' side.

The main difference between the two setups are the permissions for the /conf dir of the apache installation where the CA-certs reside. For security reasons we have the permissions set to 750 and the dir owned by root. Moving the CA files to a dir readable (or to be precise 'executable' to be used in path) made the problem disappear.

So it seems that though mod_ssl claims to read the certificates at server startup it still needs access to the hashed files while running (and having dropped it's root privileges).

Best Answer

Related Solutions

Ssl – Apache SSL not working

SSL user authentication not working in Apache

Related Topic