Ssl – Disabling weak protocols and ciphers in Centos with Apache

apache-2.4cipheropensslsslvulnerability

Can anyone help me determine hat could be the reason I am still getting VA gaps from scanner for the following? My server hosts multiple web app, but I am using the same settings for all virtual hosts.

20007 – SSL Version 2 and 3 Protocol Detection

NOTE: SSLEngine and SSLHonorCipherOrder are both tuned on.

This is for the protocols. All is disabled and only TLS versions 1.1 ans 1.2 are enabled, however, scanner still detects SSL v3

SSLProtocol -All +TLSv1.1 +TLSv1.2

I have also tried this way:

SSLProtocol all -SSLv2 -SSLv3

I have tried testing the following:
openssl s_client -connect localhost:443 -ssl2 -> failure handshake (which is OK)
openssl s_client -connect localhost:443 -ssl3 -> this works, and not shure why because this has been disabled for all vHosts (settings is like the one above)

===============

The other 2 vulnerabilities:

42873 – SSL Medium Strength Cipher Suites Supported
Here is the list of medium strength SSL ciphers supported by the remote server :
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

65821 – SSL RC4 Cipher Suites Supported (Bar Mitzvah)
List of RC4 cipher suites supported by the remote server :
ECDHE-RSA-RC4-SHA Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

This is the CipherSuite. I have marked bold all the ciphers found in the scanner, and all of them have been disabled on my config, however they still appear during scan:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 !EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH-RSA-DES-CBC3-SHA !ECDHE-RSA-DES-CBC3-SHA !DES-CBC3-SHA !ECDHE-RSA-RC4-SHA !RC4-MD5 !RC4-SHA"

NOTE: Change log for the httpd version I have does not include the CVEs for the mentioned gaps as per checking. I am also aware that httpd needs to be restarted after each config change.

Please advise if any of you have suggestions, I might be missing something. Thanks.

Best Answer

apologies for the trouble. My team mate has discovered the following lines should also be updated in /etc/httpd/conf.d/ssl.conf:

SSLProtocol -all -TLSv1 +TLSv1.1 +TLSv1.2 -SSLv3

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 !EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH-RSA-DES-CBC3-SHA !ECDHE-RSA-DES-CBC3-SHA !DES-CBC3-SHA !ECDHE-RSA-RC4-SHA !RC4-MD5 !RC4-SHA"

Once updated, it cleared the security scan result.

Related Topic