Weak Cipher Vulnerability on Apache Web Server

Discussion in 'Apache' started by rdf, Apr 10, 2013.

0
  1. #1
    We are currently running ColdFusion 9 on an Apache server. After running a Webinspect scan for one of our web applications, a weak cipher vulnerability was flagged as critical. Their recommended change to the httpd.conf file is listed below. We made the change and restarted our server but the same vulnerability came up again. Does anyone have any suggestions as to how to eliminate the weak cipher vulnerability?

    SSLCipherSuite ALL:!aNull:!ADH:!eNull:!LOW:!EXP:!NULL:RC4+RSA:+HIGH:+MEDIUM
     
    rdf, Apr 10, 2013 IP
  2. MilesWeb

    MilesWeb Well-Known Member

    Messages:
    869
    Likes Received:
    36
    Best Answers:
    7
    Trophy Points:
    173
    #2
    Try setting it as below. See if it passes the scan.

    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH
     
    MilesWeb, Apr 10, 2013 IP
  3. rdf

    rdf Guest

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #3
    thanks for the reply. i have been researching this afternoon. are you familar with the SSLHonorCipherOrder directive and should that be included?
     
    rdf, Apr 10, 2013 IP
  4. MilesWeb

    MilesWeb Well-Known Member

    Messages:
    869
    Likes Received:
    36
    Best Answers:
    7
    Trophy Points:
    173
    #4
    It is used when choosing a cipher during an SSLv3 or TLSv1 handshake. Yes, you can include it.
     
    MilesWeb, Apr 11, 2013 IP