logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Secure server by disabling weak ciphers ?
Author
Auguss



Joined: 07 Dec 2015
Posts: 3
Location: USA

PostPosted: Sun 01 Apr '18 19:57    Post subject: Secure server by disabling weak ciphers ? Reply with quote

Having trouble securing a server with eliminating or implicitly denying weak ciphers.

I have been using this list to disable ciphers:
"https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite"

Qualy SSL Labs Says these are my weak ciphers:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits FS WEAK 112
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112


Below is my cipher suite order.

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:-AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DES-CBC-SHA:!LOW:!NULL:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DSS

I have tried both the "!" and "-" to disable the ciphers that are considered weak. I have also attempted to place the disabled ciphers in front. Scanned through the list to ensure only each cipher is listed once.

What am I doing wrong?
Back to top
pbhq



Joined: 17 Mar 2013
Posts: 37
Location: Germany

PostPosted: Sun 01 Apr '18 23:23    Post subject: Re: Secure server by disabling weak ciphers ? Reply with quote

I'm using this one:

SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:!DSS

Hope it helps ...
Back to top
Auguss



Joined: 07 Dec 2015
Posts: 3
Location: USA

PostPosted: Mon 02 Apr '18 17:44    Post subject: Reply with quote

Still getting the same weak ciphers appearing.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2251
Location: Sun Diego, USA

PostPosted: Mon 02 Apr '18 20:41    Post subject: Reply with quote

This is what I have and get at A+ at https://www.ssllabs.com/ssltest.
I however turned off TLSv1 at the begining of the year.

SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

SSLProxyCipherSuite is same
Back to top
Auguss



Joined: 07 Dec 2015
Posts: 3
Location: USA

PostPosted: Sat 07 Apr '18 15:46    Post subject: That worked. Reply with quote

Thanks.
Back to top


Reply to topic   Topic: Secure server by disabling weak ciphers ? View previous topic :: View next topic
Post new topic   Forum Index -> Apache