From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 778F913877A for ; Sun, 22 Jun 2014 16:59:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7649EE09DF; Sun, 22 Jun 2014 16:59:13 +0000 (UTC) Received: from mail125c7.megamailservers.com (mail718.megamailservers.com [69.49.98.28]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5F3F4E09C3 for ; Sun, 22 Jun 2014 16:59:12 +0000 (UTC) X-POP-User: admin@sys-concept.com Received: from syscon7.localdomain (S01060050da7ae68c.ed.shawcable.net [68.149.90.13]) by mail125c7.megamailservers.com (8.13.6/8.13.1) with ESMTP id s5MGx9KY011708 for ; Sun, 22 Jun 2014 12:59:11 -0400 Received: by syscon7.localdomain (Postfix, from userid 1000) id 4C59C200635; Sun, 22 Jun 2014 10:59:28 -0600 (MDT) Date: Sun, 22 Jun 2014 10:59:28 -0600 From: Joseph To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] apache-2.2.27 disable SSLCipherSuite LOW 40 56 bit Message-ID: <20140622165928.GB9332@syscon7> References: <20140622012944.GA9332@syscon7> <201406220955.42494.michaelkintzios@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline In-Reply-To: <201406220955.42494.michaelkintzios@gmail.com> User-Agent: Mutt/1.5.22 (2013-10-16) X-CTCH-RefID: str=0001.0A020205.53A70B5F.0084,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-Archives-Salt: ce822de6-6df2-4e84-a8be-62d1ffa99f4b X-Archives-Hash: 67cc7ff750d31db2d1ab6e058e84e73a Thank you. With the setting below in httpd.conf SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!RC4:!ECDHE-RSA-DES-CBC3-SHA:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS and in vhosts.conf with: NameVirtualHost *:443 ... Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" ... I get "A+" rating, so I think should be OK Certificate 100 Protocol Support 95 Key Exchange 80 Cipher Strength 90 -- Joseph On 06/22/14 09:55, Mick wrote: >On Sunday 22 Jun 2014 02:29:44 Joseph wrote: >> Before upgrading to apache 2.2.27 I had this line in httpd.conf >> SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 >> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT >> >> and I was getting "A-" rating from: www.ssllabs.com >> >> Now after upgrading to apache-2.2.27 I'm getting "C" because of weak Cipher >> Strength inclusion: >> >> TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40 >> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40 >> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40 >> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, >> Ys: 64) FS WEAK 40 TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56 >> TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) >> FS WEAK 56 >> >> How to get rid of it? I've tired setting in 00_default_ssl_vhost.conf >> >> SSLProtocol all -SSLv2 -SSLv3 > >It should be better to set -ALL to disable all protocols and then explicitly >enable only the protocols that you want to trust as secure, e.g. +TLSv1.2 > >> SSLCompression Off >> SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED >> !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" > >This leaves the anonymous DH enabled which will give you a poor rating. > >> or >> SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 >> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT > >This enables RC4 which may give you a poor rating - not sure. Better you move >it down the list so that more secure ciphers are tried first. > >> nothing helps, I'm still getting "C" because of weak Cipher Strength >> inclusion. > >This is because you inadvertently allow weak ciphers in your directives above. > >Try running openssl ciphers -v to see what your directives allow and >in what order. Then modify them accordingly. > >HTH. >-- >Regards, >Mick