Disable all but RC4 in apache

Posted by Daniel on Server Fault See other posts from Server Fault or by Daniel
Published on 2012-09-20T21:17:27Z Indexed on 2012/09/29 3:41 UTC
Read the original article Hit count: 480

Filed under:
|
|
|
|

Our PCI compliance vendor requires that we disable all but RC4 encryption on our web server. Currently our apache config file looks like this:

SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC:!aNull:!eNull:!LOW:!SSLv2

However, https://www.ssllabs.com reports the following ciphers are allowed:

  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

How can I configure apache to only allow RC4?

© Server Fault or respective owner

Related posts about apache2

Related posts about ssl