2

I have a PHP application running under Apache 2.4 on a Windows Server. One of the business security issues is to disable SSL - RC4 Ciphers support.

I had added these lines in httpd.conf:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

But this issue still keep coming.

There's something i need to do in operational system to disable this cipher?

Thanks!

Arthur Mastropietro
  • 673
  • 1
  • 7
  • 22
  • I'm confused... you have a bunch of RC4 ciphers right in your SSLCipherSuite; granted, you also have a !RC4, but I couldn't find any documentation that indicated that doing RC4 !RC4 would necesarrily remove RC4... also, as rudimeier alludes, check that you have it in the right spot – Foon Jul 29 '15 at 13:51
  • You have to have a Virtual Host to run the site as SSL, you should amend these parameter in the VH or all VH's. Remember when you create a VH Apache ignores a lot of what is configured in the `httpd.conf` file and only looks at what is in the sites VH definition – RiggsFolly Jul 29 '15 at 14:09
  • [This document](https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html) seems to cover most of what you need to know It looks like you missed some Excludes check `HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4` – RiggsFolly Jul 29 '15 at 14:26
  • Are you using WAMPServer/XAMPP/or a manually installed stack? – RiggsFolly Jul 29 '15 at 14:29
  • Hi @RiggsFolly, i manually installed stack. – Arthur Mastropietro Jul 29 '15 at 14:34
  • Then you should be looking in `httpd.conf` for an include of something like `whereever you installed apache/conf/extra/httpd-ssl.conf` for your ssl VHOST definitions. Assuming you created your ssl VH configs in the recommended way. Otherwise they may be in the `httpd.conf` file – RiggsFolly Jul 29 '15 at 14:47
  • If you're looking to disable RC4 ciphers, why do you have RC4 and EECDH+aRSA+RC4 in the SSLCipherSuite directive? Also, the cipher-specs in this directive need to be separated by a colon (:) and not a space. – Anand Bhat Jul 29 '15 at 15:29
  • Thanks @AnandBhat, you're right. – Arthur Mastropietro Jul 29 '15 at 15:37

2 Answers2

1

We've been doing this for disabling SSL3 and RC4 filters on Windows. Save the following code as DisableSSLv3AndRC4.reg and double click it

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

You can test it after with https://www.ssllabs.com/

rdaniels
  • 939
  • 8
  • 7
0

You should place your 3 lines into the<VirtualHost> section along with the rest of your ssl specific config keys like "SSLEngine", SSLCertificateFile

rudimeier
  • 854
  • 1
  • 8
  • 20