Check for SSL Weak Ciphers SSL3_RSA_RC4_128_MD5, SSL3_RSA_RC4_128_SHA, TLS1_RSA_RC4_128_MD5, TLS1_RSA_RC4_128_SHA

Question

I am getting a serve ready for PCI compliance, and have one area with crypto from apache with the following report:

Weak ciphers offered by this service:
  SSL3_RSA_RC4_128_MD5
  SSL3_RSA_RC4_128_SHA
  TLS1_RSA_RC4_128_MD5
  TLS1_RSA_RC4_128_SHA

Apache /etc/httpd/httpd/conf.d/ssl.conf contains:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLHonorCipherOrder On

Is there anything I am doing wrong? What ciphers should be used to pass the above warning?

http://stackoverflow.com/questions/5769331/please-provide-an-apache-sslciphersuite-that-will-pass-a-pci-compliance-scan — ceejayoz, Sep 10 '14 at 16:51
What version of openssl was apache compiled with? If newer enough, I would try to use TLS1.1 and TLS1.2 and drop TLS1.0 and SSL2.0 and SSL3.0 completely. The "high" ciphers on TLS1.0 and SSL3.0 are either vulnerable because not strong enough (below 128 bits), use weak hashing algorithms (md5), vulnerable cipher methods (rc4) or "prone" to attacks like BEAST (cbc methods) leaving no ciphersuite for you to employ. — NuTTyX, Sep 10 '14 at 19:57
CentOS 6.5 is using `OpenSSL 1.0.1e-fips 11 Feb 2013`. What would the ssl.conf lines be to disable the protocols you mentioned and bring in the ciphers? — morleyc, Sep 11 '14 at 01:45

0 Answers0