I have been having extreme difficulties with apache disabling weak ciphers (namely 40-bit / 56-bit). I have issues the Directives in the ssl.conf file that are supposed to decline those ciphers, but for some reason its not doing the job I expected. Below is my ssl.conf configuration outlining the SSLProtocol and SSLCIpherSuite configurations I have tried:
Code:
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol -all +TLSv1 +SSLv3
# SSLProtocol -SSLv2 +TLSv1 +SSLv3
# SSLProtocol +TLSv1 +SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# SSLCipherSuite HIGH:MEDIUM:!SSLv2:@STRENGTH
SSLCipherSuite HIGH:!SSLv2:!EXPORT:!LOW:!MEDIUM
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:HIGH:MEDIUM:!LOW
#SSLCipherSuite !ALL:HIGH:!MEDIUM:!aNULL:!eNULL:!LOW:!EXP:!EXPORT40:!EXPORT56
None of these configurations seem to disable SSLv2 (at all) or the Weak Ciphers, mainly what i believe to be EXPORT40 and EXPORT56 (40-bit and 56-bit respectively).
Every time I edited the ssl.conf I did restart the apache server, i even tried a stop/start. Also I have made sure that the httpd.conf file is including ssl.conf in its configuration.
Any help you guys can provide would be very appreciated.
Thanks.
Sol
UPDATE: Ive also tried the directions listed at
http://httpd.apache.org/docs/2.2/ssl...tml#onlystrong, which recommended the following:
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
This also does not appear to work.