Return-Path: 
 <users-return-104309-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-users-archive@www.apache.org
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 65D2D9EED
	for <apmail-httpd-users-archive@www.apache.org>;
 Tue,  7 Aug 2012 12:47:13 +0000 (UTC)
Received: (qmail 95085 invoked by uid 500); 7 Aug 2012 12:47:10 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 94874 invoked by uid 500); 7 Aug 2012 12:47:09 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 94562 invoked by uid 99); 7 Aug 2012 12:47:09 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Aug 2012 12:47:09 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of covener@gmail.com designates
 209.85.217.173 as permitted sender)
Received: from [209.85.217.173] (HELO mail-lb0-f173.google.com)
 (209.85.217.173)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Aug 2012 12:47:03 +0000
Received: by lbbgm13 with SMTP id gm13so1439529lbb.18
        for <users@httpd.apache.org>; Tue, 07 Aug 2012 05:46:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=nkvblenEzASfR35BlH+5cObxLFD0iz6SemjX1sP2eow=;
        b=Gh9otvrfrzJemrTTFRJE5XG7edju8U3Xoilu3mTCs5LCuaHrVEKHd585CT4ExwlUne
         jsqbyoqh5r6/xf+TumK7qHHR6GsmzPZ1/vcy00PzKEDXqFQbRl2dnK9dbLj8otRL7+IL
         HhXbiZlLzaOIdpYjszzGRuAOYJbp7tSJ0mNdRpMQORxTtgfILtHTJiRkv2ATPbxoEAvE
         OV8cMwJrEOIphBJc5Mh3SQVNA8rsFhbH3SLJfiPBDDVRHbEVHHb8ohePoF2a7ru56YQc
         WYAtqo/CZoj3Xw04cUS9Rt3Vic18IbGPPDajOkNYXzM1fzscsnQYPEfkD4HszxhXYwfM
         DEfg==
MIME-Version: 1.0
Received: by 10.112.29.166 with SMTP id l6mr6300475lbh.68.1344343602790; Tue,
 07 Aug 2012 05:46:42 -0700 (PDT)
Received: by 10.112.20.131 with HTTP; Tue, 7 Aug 2012 05:46:42 -0700 (PDT)
In-Reply-To: 
 <CAFMGiz9jiwjpXem4jPsXEWBmDUKi-GQ7xa-7J1WAZgG0tQ2Mww@mail.gmail.com>
References: 
 <CAFMGiz9jiwjpXem4jPsXEWBmDUKi-GQ7xa-7J1WAZgG0tQ2Mww@mail.gmail.com>
Date: Tue, 7 Aug 2012 08:46:42 -0400
Message-ID: 
 <CALK=YjO3K5e3PzM_WZNEq-g4McTLfU5gtp=wCrFj6KP0XfCnOQ@mail.gmail.com>
From: Eric Covener <covener@gmail.com>
To: users@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [users@httpd] Two SSL directives appear to be not working with
 SSL Labs server test

On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder@gmail.com> wrote:
> I have been checking my Apache 2.2.14 server with this link:
>
>   https://www.ssllabs.com/ssltest/index.html
>
> I am trying to improve my SSL Labs security score but can't beat 85.
> I am running Apache 2.2.14 (from Ubuntu's package).
>
> I get the following scores:
>
>   Certificate              100
>   Protocol support       85
>   Key exchange          80
>   Cipher exchange      90
>
> The test report shows:
>
>   This server is vulnerable to the BEAST attack.
>   Certificate Key RSA/4096 bits
>   Cipher Suites (sorted by strength; server has no preference)

I'm not sure how the tool can make that determination. SSLv3-and-later
allows the server to pick any cipher out of the intersection of what's
supported by both ends

>     TLS_RSA_WITH_RC4_128_MD5 (0x4)      128
>     TLS_RSA_WITH_RC4_128_SHA (0x5)      128
>     TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
>     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g:
> 1, Ys: 128)     128
>     TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
>     TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128,
> g: 1, Ys: 128)  168
>     TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
>     TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g:
> 1, Ys: 128)     256
>
> I have the following in my server block:
>
>   SSLProtocol all -SSLv2
>   SSLHonorCipherOrder On
>   # disallow DH ciphers
>   SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH
>
> It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite"
> directives aren't working according to the test report.

What does the following report on your system?

  openssl ciphers 'HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH'

When i run it on different systems, RC4 may or may not be preferred.
I'm not terribly familiar with the syntax, but it doesnt look as if
that string takes great lengths to prefer or require RC4 to mitigate
the BEAST issue.

Although I also now notice you disabled MD5 but the scan reported
rc4-md5. Are you sure it scanned your actual system and you're in the
right vhost?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org