| View previous topic :: View next topic |
| Author |
Message |
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2577
Location: Edmonton, AB
|
 Posted: Mon Apr 28, 2014 5:18 pm Post subject: [SOLVED] elimindate Cipher Suites sorted by strength; 40 |
 |
|
From
https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca
I'm getting: | Code: | Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK 40
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 56 |
So I'm getting "C" mark.
How to eliminate 40 bit key support?
And how to fix:
| Quote: | | The server does not support Forward Secrecy with the reference browsers |
Last edited by Joseph_sys on Sun Jun 22, 2014 3:33 am; edited 1 time in total |
|
| Back to top |
|
 |
Duncan Mac Leod
Apprentice
Joined: 02 May 2004
Posts: 263
Location: Germany
|
| Posted: Sat Jun 21, 2014 8:24 pm Post subject: Re: elimindate Cipher Suites sorted by strength; 40 |
|
|
| Joseph_sys wrote: | From
https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca
I'm getting: | Code: | Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK 40
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 56 |
So I'm getting "C" mark.
How to eliminate 40 bit key support?
And how to fix:
| Quote: | | The server does not support Forward Secrecy with the reference browsers |
|
To get an A+ rating on this Site  , look at my posting: https://forums.gentoo.org/viewtopic-t-990050.html |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2577
Location: Edmonton, AB
|
| Posted: Sat Jun 21, 2014 10:31 pm Post subject: Re: elimindate Cipher Suites sorted by strength; 40 |
|
|
Thanks, where do I insert the blow code:
| Code: | SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" |
Now I'm getting an "F" mark :-/
This server supports anonymous (insecure) suites (see below for details). Grade set to F.
| Code: | TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) INSECURE 128
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256 |
|
|
| Back to top |
|
|
Duncan Mac Leod
Apprentice
Joined: 02 May 2004
Posts: 263
Location: Germany
|
| Posted: Sat Jun 21, 2014 10:43 pm Post subject: Re: elimindate Cipher Suites sorted by strength; 40 |
|
|
Insert my Config-lines in: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
I am running apache-2.2.27 and got an A+ rating. Don't know what your configs look like... - sorry!
Check your config for duplicate lines like 'SSLCipherSuite' !! |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2577
Location: Edmonton, AB
|
| Posted: Sun Jun 22, 2014 1:07 am Post subject: Re: elimindate Cipher Suites sorted by strength; 40 |
|
|
| Duncan Mac Leod wrote: | Insert my Config-lines in: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
I am running apache-2.2.27 and got an A+ rating. Don't know what your configs look like... - sorry!
Check your config for duplicate lines like 'SSLCipherSuite' !! |
I was getting "A-" from ssl lab:
https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca
with this code before upgrading apache two months ago:
| Code: | SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT |
Now with apache-2.2.27 I get "C" because of weak Cipher Strength inclusion:
| Code: | TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK 40
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 56 |
How to eliminate it? I've tried your setting doesn't help: | Code: | SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" |
|
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2577
Location: Edmonton, AB
|
| Posted: Sun Jun 22, 2014 3:32 am Post subject: |
|
|
I got "A" grade 
with in httpd.conf
| Code: | SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:EECDH:-RC4:EDH:-CAMELLIA:-SEED:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" |
| Code: | Certificate 100
Protocol Support 95
Key Exchange 80
Cipher Strength 90 |
|
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2577
Location: Edmonton, AB
|
| Posted: Sun Jun 22, 2014 4:43 am Post subject: |
|
|
I got an "A" but I'm still getting some errors from SSL Lab:
| Code: | Handshake Simulation
IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch Fail3
IE 8 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch Fail3
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version |
|
|
| Back to top |
|
|
freke
l33t
Joined: 23 Jan 2003
Posts: 605
Location: Somewhere in Denmark
|
| Posted: Sun Jun 22, 2014 6:38 am Post subject: |
|
|
I get A+ with:
| Code: | SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS |
Gives me:
| Code: | Protocol Support 95
Key Exchange 100
Cipher Strength 90 |
It fails handshake simulation for IE6/XP and Java6u45 - not clients I'm interested in serving anyway 
Apache 2.4.9-r3 + OpenSSL 1.0.1h-r1 both from portage |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2577
Location: Edmonton, AB
|
| Posted: Sun Jun 22, 2014 4:28 pm Post subject: |
|
|
| freke wrote: | I get A+ with:
| Code: | SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS |
Gives me:
| Code: | Protocol Support 95
Key Exchange 100
Cipher Strength 90 |
It fails handshake simulation for IE6/XP and Java6u45 - not clients I'm interested in serving anyway
Apache 2.4.9-r3 + OpenSSL 1.0.1h-r1 both from portage |
Which file do you keep these setting in?
When I put them in 00_default_ssl_vhost.conf I get "C" rating, it means something is not getting activated.
So I put them in "httpd.conf" and I get "A+" as well.
How do you get key exchange 100? With your setting I only get key echange 80
| Quote: | Certificate 100
Protocol Support 95
Key Exchange 80
Cipher Strength 90 |
In addition you forgot to mention that in order to get "A+" one need to have in vhosts.conf
under:
| Code: | NameVirtualHost *:443
...
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
...
|
|
|
| Back to top |
|
|
Duncan Mac Leod
Apprentice
Joined: 02 May 2004
Posts: 263
Location: Germany
|
|
| Back to top |
|
|
freke
l33t
Joined: 23 Jan 2003
Posts: 605
Location: Somewhere in Denmark
|
| Posted: Mon Jun 23, 2014 4:47 am Post subject: |
|
|
I only remember modifying 00_default_ssl_vhost.conf:
| Code: | Listen 443
SSLStaplingCache shmcb:/var/log/apache/ssl_gcache_data(512000)
..
<VirtualHost _default_:443>
..
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
SSLUseStapling on
SSLCompression off
..
</VirtualHost> |
On further investigating my system I see that SSLCompression is off by default (in /etc/apache/modules.d/40_mod_ssl.conf) |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6880
|
| Posted: Fri Jun 27, 2014 4:48 am Post subject: |
|
|
Just to add my 2¢:
On servers where I don't care about winxp, I use "TLSv1.2+HIGH+kEECDH:TLSv1.2+HIGH+kEDH:!AES128:!aNULL:!eNULL" along with disabling SSLv2/3, which is kind of overkill but (hopefully) very safe. It gets me a theoretical A rating on that test (would be A+ except I'd need to screw with DH params and I don't know what I'm doing there).
For places where I need a bit more compatibility (specifically because some lameness in the TLS stack on my android phone prevents me accessing my own IM account) I use "TLSv1.2+HIGH+kEECDH:TLSv1.2+HIGH+kEDH:TLSv1+HIGH:!AES128:!3DES:!CAMELLIA:!aNULL" |
|
| Back to top |
|
|
|
Networking & Security
