SSLCipherSuite - disable weak encryption, cbc cipher and md5 based algorithm

Posted by John on Server Fault See other posts from Server Fault or by John
Published on 2013-11-01T23:55:14Z Indexed on 2013/11/02 3:57 UTC
Read the original article Hit count: 480

Filed under:
|

A developer recently ran a PCI Scan with TripWire against our LAMP server. They identified several issues and instructed the following to correct the issues:

Problem: SSL Server Supports Weak Encryption for SSLv3, TLSv1,

Solution: Add the following rule to httpd.conf

SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Problem: SSL Server Supports CBC Ciphers for SSLv3, TLSv1

Solution: Disable any cipher suites using CBC ciphers

Problem: SSL Server Supports Weak MAC Algorithm for SSLv3, TLSv1

Solution: Disable any cipher suites using MD5 based MAC algorithms

I tried searching google for a comprehensive tutorial on how to construct an SSLCipherSuite directive to meet my requirements, but I didn't find anything I could understand. I see examples of SSLCipherSuite directives, but I need an explanation on what each component of the directive does. So even in the directive SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM, I dont understand for example what the !LOW means.

Can someone either a) tell me the SSLCipherSuite directive that will meet my needs or b) show me a resource that clearly explains each segment of a SSLCipherSuite is and how to construct one?

© Server Fault or respective owner

Related posts about ssl

Related posts about tls