LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 12-08-2009, 03:56 PM   #1
sowell
LQ Newbie
 
Registered: Jul 2007
Posts: 18

Rep: Reputation: 0
apache 2.2.3 / RHEL 5 / PCI Compliance / openssl


I have been having extreme difficulties with apache disabling weak ciphers (namely 40-bit / 56-bit). I have issues the Directives in the ssl.conf file that are supposed to decline those ciphers, but for some reason its not doing the job I expected. Below is my ssl.conf configuration outlining the SSLProtocol and SSLCIpherSuite configurations I have tried:

Code:
#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to 
# connect.  Disable SSLv2 access by default:
SSLProtocol -all +TLSv1 +SSLv3
# SSLProtocol -SSLv2 +TLSv1 +SSLv3
# SSLProtocol +TLSv1 +SSLv3


#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#  SSLCipherSuite HIGH:MEDIUM:!SSLv2:@STRENGTH
SSLCipherSuite HIGH:!SSLv2:!EXPORT:!LOW:!MEDIUM
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:HIGH:MEDIUM:!LOW
#SSLCipherSuite !ALL:HIGH:!MEDIUM:!aNULL:!eNULL:!LOW:!EXP:!EXPORT40:!EXPORT56
None of these configurations seem to disable SSLv2 (at all) or the Weak Ciphers, mainly what i believe to be EXPORT40 and EXPORT56 (40-bit and 56-bit respectively).

Every time I edited the ssl.conf I did restart the apache server, i even tried a stop/start. Also I have made sure that the httpd.conf file is including ssl.conf in its configuration.

Any help you guys can provide would be very appreciated.

Thanks.

Sol

UPDATE: Ive also tried the directions listed at http://httpd.apache.org/docs/2.2/ssl...tml#onlystrong, which recommended the following:

SSLProtocol all
SSLCipherSuite HIGH:MEDIUM

This also does not appear to work.

Last edited by sowell; 12-08-2009 at 04:06 PM. Reason: update
 
Old 12-09-2009, 09:00 AM   #2
cpplinux
Member
 
Registered: Dec 2009
Posts: 37

Rep: Reputation: 17
Did you try this:
SSLProtocol all -SSLv2

http://www.modssl.org/docs/2.7/ssl_reference.html#ToC8
 
Old 12-09-2009, 09:26 AM   #3
sowell
LQ Newbie
 
Registered: Jul 2007
Posts: 18

Original Poster
Rep: Reputation: 0
I did. As a matter of fact, I wound up loading up the mod_info module last night based on some help I got from #httpd on freenode.net and they couldnt figure it out either. It shows the lines in the module config and the directives it specifies are support by the server are the exact directives I have used in the config. In addition, I did make sure that the only instance of those directives was in the ssl.conf file.

Thanks.

Sol
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Openssl 0.9.7d or newer for RHEL 4.4 legcard Linux - Security 7 11-05-2007 09:35 AM
Need openssl-0.9.8 RPM for RHEL 3.0 dheivan Linux - Enterprise 6 07-18-2007 09:36 AM
OpenSSL in RHEL (0.9.7.a) and the one I installed (0.9.7.g) Swakoo Linux - Newbie 1 07-19-2005 04:36 AM
OpenSSL Apache 2 RedHat 8 bfdlinux Linux - Security 2 07-25-2003 09:18 AM
Openssl and apache huno Linux - General 1 04-21-2003 02:06 PM


All times are GMT -5. The time now is 07:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration