Dustin Butler wrote:
>> I do. I can't seem to get the weak ciphers off my
web server.
>> Everytime they run a security scan I have to
explain why weak SSL is
>> showing up as a vulerabilty. Can someone tell me
what I'm doing wrong?
>Only SSLRequiredCiphers changes the ciphers that are
offered.
>SSLBanCipher and SSLRequireCipher are both
after-the-fact (and
>per-directory).
So if I understand correctly something like this is
happening
Scanner: What ciphers do you support?
Server: 1,2,3,4,5
Scanner: Oh my God! 4 is a weak cipher I'm reporting you
When in reality if the scanner or a browser tried to use 4
it would be rejected.
Thanks that helps a bunch! Was beating my head for a while
on that.
>
> Here is my Configuration
>
> <VirtualHost xxx.xxx.xxx.xxx:443>
> Include conf/trace.fix
> ServerName www.xxxxxxxx.com
> VirtualDocumentRoot
/httpd/xxx.xxx.xxx.xxx:443/%0/html
> SSLNoV2
> SSLBanCipher EXP-RC4-MD5 EXP1024-RC4-SHA
> SSLEnable
> SSLCertificateFile
> /opt/apache/conf/certificate/www.xxxxxxxxxxx.com.crt
> SSLCertificateKeyFile
> /opt/apache/conf/certificate/www.xxxxxxxx.com.key
> </VirtualHost>
>
> I'm using the Saint vulnerability scanner and it
reports weak ciphers
> still being used. A couple of them (EXP-RC4-MD5,
EXP1024-RC4-MD5) I've
> explicitly banned using the SSLBanCipher directive.
But these still
> show up as supported ciphers
>
> Supported ciphers:
> EXP-RC4-MD5:TLSv1/SSLv3:40-bit
> RC4-MD5:TLSv1/SSLv3:128-bit
> RC4-SHA:TLSv1/SSLv3:128-bit
> EXP-RC2-CBC-MD5:TLSv1/SSLv3:40-bit
> EXP-DES-CBC-SHA:TLSv1/SSLv3:40-bit
> DES-CBC-SHA:TLSv1/SSLv3:56-bit
> DES-CBC3-SHA:TLSv1/SSLv3:168-bit
> EXP1024-RC4-MD5:TLSv1/SSLv3:56-bit
> EXP1024-RC2-CBC-MD5:TLSv1/SSLv3:56-bit
> EXP1024-DES-CBC-SHA:TLSv1/SSLv3:56-bit
> EXP1024-RC4-SHA:TLSv1/SSLv3:56-bit
> AES128-SHA:TLSv1/SSLv3:128-bit
> AES256-SHA:TLSv1/SSLv3:256-bit
>
> Dustin Butler
> Intrcomm Technology
>
> Skype: dustinbutler
> ICQ: 77617603
> AIM: DustinBtlr
>
>
------------------------------------------------------------
-----------------------
>
> to unsubscribe, send a blank email to:
> apache-ssl-unsubscribe lists.aldigital.co.uk
>
>
--
http://www.apache-
ssl.org/ben.html http://www.thebunker.net/
** ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ **
"There is no limit to what a man can do or how far he
can go if he
doesn't mind who gets the credit." - Robert Woodruff
------------------------------------------------------------
-----------------------
to unsubscribe, send a blank email to:
apache-ssl-unsubscribelists.aldigital.co.uk
------------------------------------------------------------
-----------------------
to unsubscribe, send a blank email to:
apache-ssl-unsubscribelists.aldigital.co.uk
|