SSLCipherSuite - disable weak encryption, cbc cipher and md5 based algorithm
Posted
by
John
on Server Fault
See other posts from Server Fault
or by John
Published on 2013-11-01T23:55:14Z
Indexed on
2013/11/02
3:57 UTC
Read the original article
Hit count: 480
A developer recently ran a PCI Scan with TripWire against our LAMP server. They identified several issues and instructed the following to correct the issues:
Problem: SSL Server Supports Weak Encryption for SSLv3, TLSv1,
Solution: Add the following rule to httpd.conf
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Problem: SSL Server Supports CBC Ciphers for SSLv3, TLSv1
Solution: Disable any cipher suites using CBC ciphers
Problem: SSL Server Supports Weak MAC Algorithm for SSLv3, TLSv1
Solution: Disable any cipher suites using MD5 based MAC algorithms
I tried searching google for a comprehensive tutorial on how to construct an SSLCipherSuite directive to meet my requirements, but I didn't find anything I could understand. I see examples of SSLCipherSuite directives, but I need an explanation on what each component of the directive does. So even in the directive SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
, I dont understand for example what the !LOW
means.
Can someone either a) tell me the SSLCipherSuite directive that will meet my needs or b) show me a resource that clearly explains each segment of a SSLCipherSuite is and how to construct one?
© Server Fault or respective owner