Re: SSL checker reports server vulnerable to BEAST attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Robert,

2018-01-16 10:21 GMT+01:00 Robert S <robert.spam.me.senseless@xxxxxxxxx>:
Hi.

I have run a server test on
https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp.  It
reports that my certificate is installed correctly but the server is
vulnerable to a BEAST attack.  It says "Make sure you have the TLSv1.2
protocol enabled on your server. Disable the RC4, MD5, and DES
algorithms. Contact your web server vendor for assistance."

I believe that I have disabled these protocols - here are the relevant
lines in my config:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!EDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
SSLHonorCipherOrder On

Can anyone help here?

IIRC a permanent solution for BEAST was to disable TLS 1.0, but I'd check https://mozilla.github.io/server-side-tls/ssl-config-generator/ and see how the above SSLCipherSuite setting can be changed to be up to date.

Hope that helps,

Luca

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux