I am getting a warning with Nessus, saying my server supports weak SSL ciphers.

Is this the clients half of an SSL connection? If so would this be based on his browser or OS? If so what OS/browsers uses weak ciphers by default?

And how can I reject connections using weak ciphers if I use openssl/apache.

TIA!

Definition: http://en.wikipedia.org/wiki/Cipher

Depends what server is vulnerable as to what to do about it, for example here's another link I got about Apache in 3 seconds of searching, http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

It will be the browser from the client side but none of the modern browsers use weak encryption - ie less than 128-bit.

Wouldn't worry about it though it's just support there for older browsers which you won't use.

Yeah I found the logic slightly odd when face with Nessus whining about this, as sure, there's a potential MITM issue when using a weak cipher, but that relies on that cipher being use in the first place, and that's pretty unlikely now. So unless you have a bad browser upgrade policy and what not, you're never actually vulnerable to ssl2 cipher issues anyway. I would say though that the browsers still generally *CAN* use sub 128bit ciphers - if a server only supports md5-des or such then you don't want to be blocked from accessing that server, good way to get a bad reputation as a browser, but they'd never get that low on the list unless the server is in that situation.