Welcome to WebmasterWorld Guest from 3.233.226.151

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Remediation for SSL/TLS use of weak RC4 cipher

require solution for SSL/TLS use of weak RC4 cipher specific to my environ

     
5:34 am on Jun 1, 2015 (gmt 0)

New User

5+ Year Member

joined:Jan 8, 2014
posts: 25
votes: 0


Hi,
I need a help from you people. Your replies will be so helpful.

In our enviorment we have 100s of server each having many apance instances.
Recently we found amny of the apache instances affected with SSL related vulnearbilities.
one of the vulberability is SSL/TLS use of weak RC4 cipher CVE-2013-2566
I understood for this we need to disable RC4.
In our enviroment we disabled already all the SSL related protocol and using TLSv1.
Please refer the below configuration from our environement.

SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Question 1 : If i want to remediate the SSL/TLS use of weak RC4 cipher
which one of the below will do it without changing the current cipher setup.I aware there are many optimal ciphersuites which may best to us. But our client dont want to add any extra things or disable any current setup. the requirement is only to remediate this vulnearbility

Option 1 :
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:!RC4:+HIGH:+MEDIUM

Option 2 :
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:!RC4:RSA:+HIGH:+MEDIUM

Please kindly let me know whether option 1 itself will remediate the RC4 issue without affecting the appliation.
By seeing SSLProtocol -ALL -SSLv3 +TLSv1 , i think only TLSv1.0 only used by the appliacations. v1.1 or v1.2 will not allow i think by this current setting , So please clarify me option 1 will work fine for us or after we made the option 1 still i need to do some changes to make the application work. Regarding the option 2 , i am not sure if we do that then it will allow any ciphers which using RSA algorithm thus will make the connection more weak.

Few application team wants to fix only RC4 , few application team wants to fix the BEAST vulnearbility also.
So if the application team wants to fix only the RC4 then i'll use the suggesntion which you will be give for above.
Question 2 : If application team wants to fix the BEAST vulnerability also then
will this below configuration fix it or any other extra ciphers we need to add

Option 1 :
SSLProtocol -ALL -SSLv3 +TLSv1.1
SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:!RC4:+HIGH:+MEDIUM

Apavhe version :
we 2.0.65 and 2.2

openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008


Thanks in Advance
1:43 pm on June 15, 2015 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


Hello IamRasheed and welcome to WebmasterWorld.

You are likely running a cPanel install because the default Apache set up will return negative RC4 cipher results on tests:
[ssllabs.com...]
You'll need to identify your target audience for the server and possibly even down to each domain you may be running on the server if it is a VPS hosting multiple domains. The following resources may prove helpful in determining which cipher you want to use. The second link is included for MS users but still worth the quick read for Apache installs:
[wiki.mozilla.org...]
[blogs.technet.com...]