From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 53F431393DD for ; Sun, 22 Jun 2014 01:29:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D1F95E08C1; Sun, 22 Jun 2014 01:29:31 +0000 (UTC) Received: from mail101c7.megamailservers.com (mail717.megamailservers.com [69.49.98.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C63ABE08B8 for ; Sun, 22 Jun 2014 01:29:30 +0000 (UTC) X-POP-User: admin@sys-concept.com Received: from syscon7.localdomain (S01060050da7ae68c.ed.shawcable.net [68.149.90.13]) by mail101c7.megamailservers.com (8.13.6/8.13.1) with ESMTP id s5M1TSRV025635 for ; Sat, 21 Jun 2014 21:29:29 -0400 Received: by syscon7.localdomain (Postfix, from userid 1000) id 6471C204785; Sat, 21 Jun 2014 19:29:44 -0600 (MDT) Date: Sat, 21 Jun 2014 19:29:44 -0600 From: Joseph To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] apache-2.2.27 disable SSLCipherSuite LOW 40 56 bit Message-ID: <20140622012944.GA9332@syscon7> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline User-Agent: Mutt/1.5.22 (2013-10-16) X-CTCH-RefID: str=0001.0A020204.53A63179.00AA,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-Archives-Salt: fba926d2-864b-490c-bc12-661266e68457 X-Archives-Hash: 2d1b91a9c08d91c50a4e251712b52926 Before upgrading to apache 2.2.27 I had this line in httpd.conf SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT and I was getting "A-" rating from: www.ssllabs.com Now after upgrading to apache-2.2.27 I'm getting "C" because of weak Cipher Strength inclusion: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK 40 TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56 TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 56 How to get rid of it? I've tired setting in 00_default_ssl_vhost.conf SSLProtocol all -SSLv2 -SSLv3 SSLCompression Off SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" or SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT nothing helps, I'm still getting "C" because of weak Cipher Strength inclusion. -- Joseph