Ping a Specific Port

Question

Keith Palmer Jr.

Asked: 2010-03-19 08:50:39 +0800 CST2010-03-19 08:50:39 +0800 CST 2010-03-19 08:50:39 +0800 CST

How do I disable MEDIUM and WEAK/LOW strength ciphers in Apache + mod_ssl?

772

A PCI Compliance scan has suggested that we disable Apache's MEDIUM and LOW/WEAK strength ciphers for security. Can someone tell me how to disable these ciphers?

Apache v2.2.14 mod_ssl v2.2.14

This is what they've told us:

Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]

Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]

8 Answers

Voted

McJeff · Answer 1 · 2010-03-19T08:56:42+08:00

Best Answer

McJeff

2010-03-19T08:56:42+08:002010-03-19T08:56:42+08:00

Depending on your needs, you can come up with an SSLCipherSuite line that handles the job for you.

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

Mine are below and they pass PCI scans.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

17

rekado · Answer 2 · 2012-11-28T06:16:59+08:00

If you are unsure what ciphers this SSLCipherSuite line ends up permitting, you can run it through openssl:

openssl ciphers -v 'HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM'

This will give you a list of cipher combinations:

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
...

Modify the argument until you end up with a list that contains only the ciphers you are allowed to offer.

John York · Answer 3 · 2010-12-09T06:31:00+08:00

John York

2010-12-09T06:31:00+08:002010-12-09T06:31:00+08:00

Note that !MEDIUM will disable 128 bit ciphers as well, which is more than you need for your original request. The following config passed my PCI compliance scan, and is bit more friendly towards older browsers:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLProtocol ALL -SSLv2 -SSLv3

SSL Version 3 is insecure due to Poodle Attack (refer:http://disablessl3.com/)

5

StingeyB · Answer 4 · 2012-09-11T15:47:12+08:00

StingeyB

2012-09-11T15:47:12+08:002012-09-11T15:47:12+08:00

Just giving another solution. Per the suggestions from ssltools.com here was their suggestion that worked for me:

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

2

snazmeister · Answer 5 · 2014-10-17T01:07:35+08:00

snazmeister

2014-10-17T01:07:35+08:002014-10-17T01:07:35+08:00

SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Is what I am using - which, according to ssllabs.com gives the highest level of security.

2

Sunny · Answer 6 · 2018-07-16T14:33:29+08:00

Sunny

2018-07-16T14:33:29+08:002018-07-16T14:33:29+08:00

better use cipher generator by mozilla, I follow this https://mozilla.github.io/server-side-tls/ssl-config-generator

1

Jeffrey Goldberg · Answer 7 · 2013-07-09T14:17:02+08:00

Jeffrey Goldberg

2013-07-09T14:17:02+08:002013-07-09T14:17:02+08:00

The mod_ssl documentation lists MEDIUM as "all ciphers with 128 bit encryption", while HIGH is described as "all ciphers using Triple-DES". I'm guessing that this is a documentation error, but if not "MEDIUM" is actually higher than "HIGH".

As you were told that you need at least 112 bit keys; this shouldn't matter for you as both HIGH and MEDIUM will be strong enough and you should include both.

0

Keith Palmer Jr. · Answer 8 · 2010-03-25T07:51:43+08:00

Keith Palmer Jr.

2010-03-25T07:51:43+08:002010-03-25T07:51:43+08:00

This is what I ended up having to use:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLProtocol -ALL +SSLv3 +TLSv1

-1

How do I disable MEDIUM and WEAK/LOW strength ciphers in Apache + mod_ssl?

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?