Re: Re: Qualys scan reports B overall rating for a specific domain (Apache Users)

Hi Walter and Yehuda,

I have enabled mod_info as per https://httpd.apache.org/docs/2.4/mod/mod_info.html. I have already referred to https://ssl-config.mozilla.org/#server=apache&version=2.4.54&config=intermediate&openssl=1.1.1k&guideline=5.6. Please refer to the below output.

Current Configuration:
In file: /etc/httpd/conf.d/ssl.conf
18: SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
23: SSLSessionCache shmcb:/run/httpd/sslcache(512000)
24: SSLSessionCacheTimeout 300
36: SSLRandomSeed startup file:/dev/urandom 256
37: SSLRandomSeed connect builtin
49: SSLCryptoDevice builtin
56: <VirtualHost _default_:443>
70: SSLEngine on
90: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
91: SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
92: SSLHonorCipherOrder on
93: SSLCompression off
94: SSLSessionTickets off
120: SSLCertificateFile /etc/pki/tls/certs/localhost.crt
127: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
195: <Files ~ "\.(cgi|shtml|phtml|php3?)$">
196: SSLOptions +StdEnvVars
: </Files>
198: <Directory "/var/www/cgi-bin">
199: SSLOptions +StdEnvVars
: </Directory>
: </VirtualHost>
In file: /etc/httpd/sites-enabled/demonginx.mydomain.com.conf
6: <VirtualHost *:443>
11: SSLEngine on
12: SSLCertificateFile /etc/letsencrypt/live/demonginx.mydomain.com/cert.pem
13: SSLCertificateKeyFile /etc/letsencrypt/live/demonginx.mydomain.com/privkey.pem
14: SSLCertificateChainFile /etc/letsencrypt/live/demonginx.mydomain.com/chain.pem
: </VirtualHost>

I have run ./testssl.sh --htmlfile demonginx.mydomain.com.html demonginx.mydomain.com and it reports grade B and the details are as below :-

Testing cipher categories

NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok)
Triple DES Ciphers / IDEA offered
Obsoleted CBC ciphers (AES, ARIA etc.) offered
Strong encryption (AEAD ciphers) with no FS offered (OK)
Forward Secrecy strong encryption (AEAD ciphers) offered (OK)

Please guide me. Thanks in advance.

Best Regards,

Kaushal

On Mon, Oct 24, 2022 at 5:27 PM Yehuda Katz <yehuda@xxxxxxxxxx> wrote:

Use mod_info to look at the actual loaded configuration and see what SSLCipherSuite values are being loaded and where they are coming from.

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Mon, Oct 24, 2022, 5:20 AM Kaushal Shriyan <kaushalshriyan@xxxxxxxxx> wrote:

On Fri, Oct 21, 2022 at 8:51 AM Kaushal Shriyan <kaushalshriyan@xxxxxxxxx> wrote:

On Thu, Oct 20, 2022 at 11:14 PM Kaushal Shriyan <kaushalshriyan@xxxxxxxxx> wrote:
Hi,

I am running Server version: Apache/2.4.54 (IUS) on CentOS Linux release 7.9.2009 (Core). I have enabled the SSLCipherSuite based on https://ssl-config.mozilla.org/#server=apache&version=2.4.54&config=intermediate&openssl=1.1.1k&guideline=5.6 in httpd config /etc/httpd/conf.d/ssl.conf

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok)
Triple DES Ciphers / IDEA offered
Obsoleted CBC ciphers (AES, ARIA etc.) offered

[kaushal@ ~]$ httpd -v
Server version: Apache/2.4.54 (IUS)
Server built: Jul 20 2022 23:47:24
[kaushal@ ~]$

Is there a way to have the Overall rating as A? This server accepts RC4 cipher, but only with older protocols. Grade capped to B as per https://blog.qualys.com/product-tech/2013/03/19/rc4-in-tls-is-broken-now-what?_ga=2.190316584.2048888948.1666268705-2031408266.1660632196

Please guide me. Thanks in advance.

Best Regards,

Kaushal

Hi,

Further to my earlier email, I have enabled the SSLCipherSuite based on https://ssl-config.mozilla.org/#server=apache&version=2.4.54&config=intermediate&openssl=1.1.1k&guideline=5.6 in httpd config /etc/httpd/conf.d/ssl.conf.

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok)
Triple DES Ciphers / IDEA offered
Obsoleted CBC ciphers (AES, ARIA etc.) offered

[kaushal@ ~]$ httpd -v
Server version: Apache/2.4.54 (IUS)
Server built: Jul 20 2022 23:47:24
[kaushal@ ~]$

Is there a way to have the Overall rating as A? This server accepts RC4 cipher, but only with older protocols. Grade capped to B as per https://blog.qualys.com/product-tech/2013/03/19/rc4-in-tls-is-broken-now-what?_ga=2.190316584.2048888948.1666268705-2031408266.1660632196 I have followed https://access.redhat.com/solutions/6688001 but the issue still persists.

$nmap -sV --script ssl-enum-ciphers -p 443 example.domain.com
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd 2.4.54 ((IUS) OpenSSL/1.0.2k-fips)
|_http-server-header: Apache/2.4.54 (IUS) OpenSSL/1.0.2k-fips
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_IDEA_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| 64-bit block cipher IDEA vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
|_ least strength: C

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.71 seconds

I too followed https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html but the below issue still persists

Please guide me. Thanks in advance.

Best Regards,

Kaushal

Hi,

I will appreciate it if someone can pitch in for my earlier post to this mailing list and need guidance in this regard. I look forward to hearing from you. Thanks in advance.

Best Regards,

Kaushal