Author |
|
Auguss
Joined: 07 Dec 2015 Posts: 3 Location: USA
|
Posted: Sun 01 Apr '18 19:57 Post subject: Secure server by disabling weak ciphers ? |
|
|
Having trouble securing a server with eliminating or implicitly denying weak ciphers.
I have been using this list to disable ciphers:
"https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite"
Qualy SSL Labs Says these are my weak ciphers:
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS WEAK 112
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
Below is my cipher suite order.
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:-AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DES-CBC-SHA:!LOW:!NULL:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DSS
I have tried both the "!" and "-" to disable the ciphers that are considered weak. I have also attempted to place the disabled ciphers in front. Scanned through the list to ensure only each cipher is listed once.
What am I doing wrong? |
|
Back to top |
|
pbhq
Joined: 17 Mar 2013 Posts: 37 Location: Germany
|
Posted: Sun 01 Apr '18 23:23 Post subject: Re: Secure server by disabling weak ciphers ? |
|
|
I'm using this one:
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:!DSS
Hope it helps ... |
|
Back to top |
|
Auguss
Joined: 07 Dec 2015 Posts: 3 Location: USA
|
Posted: Mon 02 Apr '18 17:44 Post subject: |
|
|
Still getting the same weak ciphers appearing. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Mon 02 Apr '18 20:41 Post subject: |
|
|
This is what I have and get at A+ at https://www.ssllabs.com/ssltest.
I however turned off TLSv1 at the begining of the year.
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
SSLProxyCipherSuite is same |
|
Back to top |
|
Auguss
Joined: 07 Dec 2015 Posts: 3 Location: USA
|
Posted: Sat 07 Apr '18 15:46 Post subject: That worked. |
|
|
Thanks. |
|
Back to top |
|