List Info

Thread: Do you deal with auditors?
Do you deal with auditors?
user name
 2005-12-19 17:54:28 
Dustin Butler wrote:
> I do.   I can't seem to get the weak ciphers off my web
server. 
> Everytime they run a security scan I have to explain
why weak SSL is
> showing up as a vulerabilty.  Can someone tell me what
I'm doing wrong?

Only SSLRequiredCiphers changes the ciphers that are
offered.
SSLBanCipher and SSLRequireCipher are both after-the-fact
(and
per-directory).

> 
> Here is my Configuration
> 
> <VirtualHost xxx.xxx.xxx.xxx:443>
>        Include conf/trace.fix
>        ServerName www.xxxxxxxx.com
>        VirtualDocumentRoot
/httpd/xxx.xxx.xxx.xxx:443/%0/html
>        SSLNoV2
>        SSLBanCipher EXP-RC4-MD5 EXP1024-RC4-SHA
>        SSLEnable
>        SSLCertificateFile
> /opt/apache/conf/certificate/www.xxxxxxxxxxx.com.crt
>        SSLCertificateKeyFile
> /opt/apache/conf/certificate/www.xxxxxxxx.com.key
> </VirtualHost>
> 
> I'm using the Saint vulnerability scanner and it
reports weak ciphers
> still being used. A couple of them (EXP-RC4-MD5,
EXP1024-RC4-MD5) I've
> explicitly banned using the SSLBanCipher directive. 
But these still
> show up as supported ciphers
> 
> Supported ciphers:
> EXP-RC4-MD5:TLSv1/SSLv3:40-bit
> RC4-MD5:TLSv1/SSLv3:128-bit
> RC4-SHA:TLSv1/SSLv3:128-bit
> EXP-RC2-CBC-MD5:TLSv1/SSLv3:40-bit
> EXP-DES-CBC-SHA:TLSv1/SSLv3:40-bit
> DES-CBC-SHA:TLSv1/SSLv3:56-bit
> DES-CBC3-SHA:TLSv1/SSLv3:168-bit
> EXP1024-RC4-MD5:TLSv1/SSLv3:56-bit
> EXP1024-RC2-CBC-MD5:TLSv1/SSLv3:56-bit
> EXP1024-DES-CBC-SHA:TLSv1/SSLv3:56-bit
> EXP1024-RC4-SHA:TLSv1/SSLv3:56-bit
> AES128-SHA:TLSv1/SSLv3:128-bit
> AES256-SHA:TLSv1/SSLv3:256-bit
> 
> Dustin Butler
> Intrcomm Technology
> 
> Skype: dustinbutler
> ICQ: 77617603
> AIM: DustinBtlr
> 
>
------------------------------------------------------------
-----------------------
> 
> to unsubscribe, send a blank email to:
> apache-ssl-unsubscribelists.aldigital.co.uk
> 
> 


-- 
http://www.apache-
ssl.org/ben.html       http://www.thebunker.net/
**  ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ **
"There is no limit to what a man can do or how far he
can go if he
doesn't mind who gets the credit." - Robert Woodruff

------------------------------------------------------------
-----------------------
to unsubscribe, send a blank email to:
apache-ssl-unsubscribelists.aldigital.co.uk
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )