Mailing List Archive: Apache: Users

Two SSL directives appear to be not working with SSL Labs server test

Index | Next | Previous | View Threaded

tom.browder at gmail

Aug 7, 2012, 5:14 AM

Post #1 of 3 (241 views)
Permalink

Two SSL directives appear to be not working with SSL Labs server test

I have been checking my Apache 2.2.14 server with this link:

https://www.ssllabs.com/ssltest/index.html

I am trying to improve my SSL Labs security score but can't beat 85.
I am running Apache 2.2.14 (from Ubuntu's package).

I get the following scores:

Certificate 100
Protocol support 85
Key exchange 80
Cipher exchange 90

The test report shows:

This server is vulnerable to the BEAST attack.
Certificate Key RSA/4096 bits
Cipher Suites (sorted by strength; server has no preference)
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g:
1, Ys: 128) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128,
g: 1, Ys: 128) 168
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g:
1, Ys: 128) 256

I have the following in my server block:

SSLProtocol all -SSLv2
SSLHonorCipherOrder On
# disallow DH ciphers
SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH

It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite"
directives aren't working according to the test report.

I see nothing in the latest Apache2 bug report about any of this. I
have found a closed bug that fixed the cipher order in 2004 (#28665).

Does anyone have any ideas about the situation?

Thanks.

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

covener at gmail

Aug 7, 2012, 5:46 AM

Post #2 of 3 (235 views)
Permalink

Re: Two SSL directives appear to be not working with SSL Labs server test [In reply to]

On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder [at] gmail> wrote:
> I have been checking my Apache 2.2.14 server with this link:
>
> https://www.ssllabs.com/ssltest/index.html
>
> I am trying to improve my SSL Labs security score but can't beat 85.
> I am running Apache 2.2.14 (from Ubuntu's package).
>
> I get the following scores:
>
> Certificate 100
> Protocol support 85
> Key exchange 80
> Cipher exchange 90
>
> The test report shows:
>
> This server is vulnerable to the BEAST attack.
> Certificate Key RSA/4096 bits
> Cipher Suites (sorted by strength; server has no preference)

I'm not sure how the tool can make that determination. SSLv3-and-later
allows the server to pick any cipher out of the intersection of what's
supported by both ends

> TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
> TLS_RSA_WITH_RC4_128_SHA (0x5) 128
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g:
> 1, Ys: 128) 128
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128,
> g: 1, Ys: 128) 168
> TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g:
> 1, Ys: 128) 256
>
> I have the following in my server block:
>
> SSLProtocol all -SSLv2
> SSLHonorCipherOrder On
> # disallow DH ciphers
> SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH
>
> It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite"
> directives aren't working according to the test report.

What does the following report on your system?

openssl ciphers 'HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH'

When i run it on different systems, RC4 may or may not be preferred.
I'm not terribly familiar with the syntax, but it doesnt look as if
that string takes great lengths to prefer or require RC4 to mitigate
the BEAST issue.

Although I also now notice you disabled MD5 but the scan reported
rc4-md5. Are you sure it scanned your actual system and you're in the
right vhost?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

tom.browder at gmail

Aug 7, 2012, 6:05 AM

Post #3 of 3 (233 views)
Permalink

Re: Two SSL directives appear to be not working with SSL Labs server test [In reply to]

On Tue, Aug 7, 2012 at 7:46 AM, Eric Covener <covener [at] gmail> wrote:
> On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder [at] gmail> wrote:
>> I have been checking my Apache 2.2.14 server with this link:
>>
>> https://www.ssllabs.com/ssltest/index.html
...
>> Cipher Suites (sorted by strength; server has no preference)
>
> I'm not sure how the tool can make that determination. SSLv3-and-later
> allows the server to pick any cipher out of the intersection of what's
> supported by both ends

According to the site's docs (a post by Ivan Ristic), they do this, quote:

In the nutshell, here is what we do:

1. Send a list of cipher suites we wish to test (the list contains
only the suites we know are supported)

2. If the server selects a suite that's not first on the list, we know
it has a preference for it

3. If the server selects a sute that is first on the list, we put it
at the end of the list and send the list again (if the server really
has a preference for that suite, it will choose it even when the suite
is at the bottom of the list.

4. We remove the selected suite from the list and repeat the process
until we run out of suites

End quote.

>> I have the following in my server block:
>>
>> SSLProtocol all -SSLv2
>> SSLHonorCipherOrder On
>> # disallow DH ciphers
>> SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH
>>
>> It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite"
>> directives aren't working according to the test report.
>
> What does the following report on your system?
>
> openssl ciphers 'HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH'

I get this response:

RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA

> Although I also now notice you disabled MD5 but the scan reported
> rc4-md5. Are you sure it scanned your actual system and you're in the
> right vhost?

Well, as near as I know how to tell. The report does correctly report
my host and other details, so I assume it's finding the directives in
that block. I do have multiple vhosts, and I will see if I can put
those directives in a more general (higher) location.

I'm working on moving to openssl 1.0.1c and Apache 2.4.3, but I'm not
moving very fast.

Thanks for the reply, Eric.

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads