That configuration looks to me like it says NOT CBC or MD5. Can you confirm whether the server is actually accepting CBC or MD5 ciphers?
A tool like https://www.ssllabs.com/ssltest/index.html can tell you if your server is publicly accessible.
- Y
Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
We originally configured Apache with this directive:
SSLCipherSuite RC4-SHA
Then, then when the network scan found the vulnerability, we modify with this
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA
But now we have CBC and for the security requirements we have to delete RC4, CBC, and MD5 and probably other ciphers that I can't' remember.
Have you any suggestion in order to configure SSLCipherSuite to be compliant to CVE-2013-2566
Thanks in advance.
Manuela Vorazzo
-----Messaggio originale-----
Da: Eric Covener [mailto:covener@xxxxxxxxx]
Inviato: lunedì 20 gennaio 2014 13:10
A: users@xxxxxxxxxxxxxxxx
Oggetto: Re: CVE-2013-2566
> The RC4 algorithm, as used in the TLS protocol and SSL protocol, has
> many s= ingle-byte biases, which makes it easier for remote attackers
> to conduct pl= aintext-recovery attacks via statistical analysis of
> ciphertext in a large = number of sessions that use the same plaintext.
http://httpd.apache.org/security_report.html
You can configure Apache to not use RC4.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
*******************Internet Email Confidentiality Footer*******************
Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi allegati è vietato e potrebbe costituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una comunicazione al riguardo e provvedesse nel contempo alla distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite al mittente e non possono essere necessariamente considerate come autorizzate da SIA S.p.A.; le medesime dichiarazioni non impegnano SIA S.p.A. nei confronti del destinatario o di terzi. SIA S.p.A. non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail.
Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute an offence. If you are not the intended addressee please advise immediately the sender by using the reply facility in your e-mail software and destroy the message and its attachments. The statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of SIA S.p.A. Besides, The contents of this message shall be understood as neither given nor endorsed by SIA S.p.A.. SIA S.p.A. does not accept liability for corruption, interception or amendment, if any, or the consequences thereof.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|