I have a web server running Apache 2.0 on RHEL4. This server recently failed a PCI scan.
Reason:
SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability
Solution:
This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2.
If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability.
Using the following SSL configuration in Apache mitigates this vulnerability:
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
Simple fix, I thought. I added the lines to Apache configuration and it didn't work. Apparently
"SSLHonorCipherOrder On" will only work on Apache 2.2 and later. I tried upgrading Apache, soon ran into dependency hell and it seems I will have to upgrade the entire OS to upgrade to Apache 2.2. We are retiring this server in a few months so it's not worth it.
The solution says "If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability."
How would I do this on Apache 2.0? Is this even possible? If not, are there any other work arounds?
Best Answer
Other than compiling a newer Apache by hand, the only thing I can think of would be to make RC4-SHA the only supported cipher (tested with
openssl ciphers RC4-SHAon the current openssl to make sure it only prints one cipher, you may want to do the same to make sure it doens't match some weird old cipher on your old openssl):MS says Windows XP suports TLS_RSA_WITH_RC4_128_SHA so you shouldn't have any compatibility problems.