Thanks. Disabling TLS 1.0 did the trick On Tue, Jan 16, 2018 at 11:54 PM, Luca Toscano <toscano.luca@xxxxxxxxx> wrote: > Hi Robert, > > 2018-01-16 10:21 GMT+01:00 Robert S <robert.spam.me.senseless@xxxxxxxxx>: >> >> Hi. >> >> I have run a server test on >> https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp. It >> reports that my certificate is installed correctly but the server is >> vulnerable to a BEAST attack. It says "Make sure you have the TLSv1.2 >> protocol enabled on your server. Disable the RC4, MD5, and DES >> algorithms. Contact your web server vendor for assistance." >> >> I believe that I have disabled these protocols - here are the relevant >> lines in my config: >> >> SSLEngine on >> SSLProtocol ALL -SSLv2 -SSLv3 >> SSLCipherSuite >> "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!EDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" >> SSLHonorCipherOrder On >> >> Can anyone help here? > > > IIRC a permanent solution for BEAST was to disable TLS 1.0, but I'd check > https://mozilla.github.io/server-side-tls/ssl-config-generator/ and see how > the above SSLCipherSuite setting can be changed to be up to date. > > Hope that helps, > > Luca > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|