I have been checking my Apache 2.2.14 server with this link:
https://www.ssllabs.com/ssltest/index.html
I am trying to improve my SSL Labs security score but can't beat 85.
I am running Apache 2.2.14 (from Ubuntu's package).
I get the following scores:
Certificate 100
Protocol support 85
Key exchange 80
Cipher exchange 90
The test report shows:
This server is vulnerable to the BEAST attack.
Certificate Key RSA/4096 bits
Cipher Suites (sorted by strength; server has no preference)
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g:
1, Ys: 128) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128,
g: 1, Ys: 128) 168
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g:
1, Ys: 128) 256
I have the following in my server block:
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
# disallow DH ciphers
SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH
It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite"
directives aren't working according to the test report.
I see nothing in the latest Apache2 bug report about any of this. I
have found a closed bug that fixed the cipher order in 2004 (#28665).
Does anyone have any ideas about the situation?
Thanks.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|