2

(Please do not close it. It is not duplicate of SSLCipherSuite - disable weak encryption, cbc cipher and md5 based algorithm)

I use Apache 2.2. I have started to get the following message from the scanner:

Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.

Unfortunately I can not use TLS 1.1 version ( I plan to do it only in the next major version).

I want to block CBC ciphers but I did not success to do it.

I configured the following ciphers but it did not help:

SSLCipherSuite HIGH:!ADH:!MD5:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA

How to prevent CBC ciphers while using TLS 1.0 in Apache?

Added

I have tested my environment with TestSSLServer as recommended at OWASP: https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29

I get the following output:

Supported versions: TLSv1.0
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  TLSv1.0
     RSA_WITH_3DES_EDE_CBC_SHA
     DHE_RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_256_CBC_SHA
     DHE_RSA_WITH_AES_256_CBC_SHA
     RSA_WITH_CAMELLIA_128_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
     RSA_WITH_CAMELLIA_256_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

I can see only CBC ciphers!

Is it possible to prevent CBC ciphers while using TLS 1.0 in Apache?

Community
  • 1
Michael
  • 597
  • 3
  • 9
  • 23
  • Chipers != ciphers. :) – EEAA Dec 02 '15 at 14:20
  • 2
    The only non-CBC ciphersuites in TLS1.0 (and 1.1) use RC4, against which attacks have gotten good enough it is recently [officially prohibited for all Internet use](https://tools.ietf.org/html/rfc7465). The browsers I can easily test (IE11, Firefox, Chrome) won't accept RC4 initially, only on a retry which takes longer. Some RC4 ciphersuites are among the long-broken and prohibited export ones, so you can simply specify the only acceptable ones as `SSLCipherSuite RC4-SHA:RC4-MD5`. – dave_thompson_085 Dec 03 '15 at 07:26
  • 1
    PS: some(?) scanners complain about CBC in TLS1.0 because of BEAST, which was actually a false alarm; it was never spotted in the wild, and more importantly is now almost universally blocked by record splitting, so TLS1.0 CBC is not actually a vulnerabilty. **SSLv3** CBC is spec'ed differently, and is very vulnerable to POODLE, hence the O-for-obsolete in the acronym. – dave_thompson_085 Dec 03 '15 at 07:31

2 Answers2

1

Follow the SSLLabs or Mozilla TLS security config.

Example

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
0

As far as i know, there is no option to disable CBC and onther "weak" cipher elements (RC4, etc) and still using TLSv1 or even TLSv1.1. I hope I'm wrong, but I don't think so.

Here was my question about similar problem and link to OpenSSL site: SSL config for web server compatible with PCI-DSS requirements about disabling CBC and TLSv1.0

Community
  • 1
Jack
  • 156
  • 1
  • 5