httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] Two SSL directives appear to be not working with SSL Labs server test
Date Tue, 07 Aug 2012 12:46:42 GMT
On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder@gmail.com> wrote:
> I have been checking my Apache 2.2.14 server with this link:
>
>   https://www.ssllabs.com/ssltest/index.html
>
> I am trying to improve my SSL Labs security score but can't beat 85.
> I am running Apache 2.2.14 (from Ubuntu's package).
>
> I get the following scores:
>
>   Certificate              100
>   Protocol support       85
>   Key exchange          80
>   Cipher exchange      90
>
> The test report shows:
>
>   This server is vulnerable to the BEAST attack.
>   Certificate Key RSA/4096 bits
>   Cipher Suites (sorted by strength; server has no preference)

I'm not sure how the tool can make that determination. SSLv3-and-later
allows the server to pick any cipher out of the intersection of what's
supported by both ends

>     TLS_RSA_WITH_RC4_128_MD5 (0x4)      128
>     TLS_RSA_WITH_RC4_128_SHA (0x5)      128
>     TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
>     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g:
> 1, Ys: 128)     128
>     TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
>     TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128,
> g: 1, Ys: 128)  168
>     TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
>     TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g:
> 1, Ys: 128)     256
>
> I have the following in my server block:
>
>   SSLProtocol all -SSLv2
>   SSLHonorCipherOrder On
>   # disallow DH ciphers
>   SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH
>
> It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite"
> directives aren't working according to the test report.

What does the following report on your system?

  openssl ciphers 'HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH'

When i run it on different systems, RC4 may or may not be preferred.
I'm not terribly familiar with the syntax, but it doesnt look as if
that string takes great lengths to prefer or require RC4 to mitigate
the BEAST issue.

Although I also now notice you disabled MD5 but the scan reported
rc4-md5. Are you sure it scanned your actual system and you're in the
right vhost?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message