On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder@xxxxxxxxx> wrote: > I have been checking my Apache 2.2.14 server with this link: > > https://www.ssllabs.com/ssltest/index.html > > I am trying to improve my SSL Labs security score but can't beat 85. > I am running Apache 2.2.14 (from Ubuntu's package). > > I get the following scores: > > Certificate 100 > Protocol support 85 > Key exchange 80 > Cipher exchange 90 > > The test report shows: > > This server is vulnerable to the BEAST attack. > Certificate Key RSA/4096 bits > Cipher Suites (sorted by strength; server has no preference) I'm not sure how the tool can make that determination. SSLv3-and-later allows the server to pick any cipher out of the intersection of what's supported by both ends > TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 > TLS_RSA_WITH_RC4_128_SHA (0x5) 128 > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: > 1, Ys: 128) 128 > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128, > g: 1, Ys: 128) 168 > TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: > 1, Ys: 128) 256 > > I have the following in my server block: > > SSLProtocol all -SSLv2 > SSLHonorCipherOrder On > # disallow DH ciphers > SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH > > It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite" > directives aren't working according to the test report. What does the following report on your system? openssl ciphers 'HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH' When i run it on different systems, RC4 may or may not be preferred. I'm not terribly familiar with the syntax, but it doesnt look as if that string takes great lengths to prefer or require RC4 to mitigate the BEAST issue. Although I also now notice you disabled MD5 but the scan reported rc4-md5. Are you sure it scanned your actual system and you're in the right vhost? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx