Ssl – Disable all but RC4 in apache

apache-2.2encryptionpci-dssssltls

Our PCI compliance vendor requires that we disable all but RC4 encryption on our web server. Currently our apache config file looks like this:

SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC:!aNull:!eNull:!LOW:!SSLv2

However, https://www.ssllabs.com reports the following ciphers are allowed:

TLS_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

How can I configure apache to only allow RC4?

Best Answer

Interesting how things change. This is an old message but shows up in google searches so I should add that RC4 is now (2015) considered insecure and should not be used at all for PCI compliant sites.

Related Solutions

Ssl – Fixing BEAST vulnerability on Apache 2.0 running on RHEL 4

Other than compiling a newer Apache by hand, the only thing I can think of would be to make RC4-SHA the only supported cipher (tested with openssl ciphers RC4-SHA on the current openssl to make sure it only prints one cipher, you may want to do the same to make sure it doens't match some weird old cipher on your old openssl):

SSLCipherSuite RC4-SHA

MS says Windows XP suports TLS_RSA_WITH_RC4_128_SHA so you shouldn't have any compatibility problems.

Cannot disable RC4

Try this:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 !EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

Changes:

EECDH+aRSA+RC4 become !EECDH+aRSA+RC4
Remove RC4

Restart web server, clear cache in Qualys SSLTest.

Best Answer

Related Solutions

Ssl – Fixing BEAST vulnerability on Apache 2.0 running on RHEL 4

Cannot disable RC4

Related Topic