logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: SSL Hardining
Author
andrew.luke



Joined: 15 Feb 2011
Posts: 2
PostPosted: Tue 15 Feb '11 23:14    Post subject: SSL Hardining Reply with quote
I have a requirement to restrict apache http server to only accept strong SSL connections with clients. In the httpd.conf I have the line:
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:-MEDIUM:-LOW

My security scanner is still failing me because I still accept "DES-CBC3-MD5 (SSLv2). Anyone know how to modify that directive to not accept this encryption also?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
PostPosted: Wed 16 Feb '11 2:58    Post subject: Reply with quote
check out this thread
http://www.apachelounge.com/viewtopic.php?t=3595

That should answer it for you.
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA
PostPosted: Wed 16 Feb '11 13:35    Post subject: Reply with quote
Two things might help you adjust your cipher suite.
    The instructions here

    In you Apache bin directory: check that the openssl program is here, and execute this command with your cipher string:
    Code:
    openssl ciphers -v "RSA:!EXP:!NULL:+HIGH:-MEDIUM:-LOW"


Note that DES-CBC3-MD5 uses "Triple-DES" (i.e. 3DES) with 168-bit keys, which is actually a very strong cipher.

You are probably trying to avoid DES, not 3DES. If your security scanner does not recognize the difference, that would seem to be a bug in your security scanner.

If you really want to, you can avoid Triple-DES with this string:
Code:
RSA:!EXP:!NULL:+HIGH:-MEDIUM:-LOW:-3DES
but note that you are excluding a very strong cipher which many browsers use.

Hope this helps,
-tom-
Back to top
andrew.luke



Joined: 15 Feb 2011
Posts: 2
PostPosted: Wed 16 Feb '11 22:39    Post subject: Reply with quote
Thanks guys! That was able to fix it without breaking it. I know it may be stupid, or possibly a bug, but I have to do everything I can to eliminate findings without breaking it.
Back to top


Reply to topic   Topic: SSL Hardining View previous topic :: View next topic
Post new topic   Forum Index -> Apache