AnsweredAssumed Answered

This server supports anonymous (insecure) suites

Question asked by Dwight Victor on Mar 12, 2014
Latest reply on Mar 14, 2014 by Dwight Victor

Hello,

 

I'm trying to configure my home/test system but am receiving a failing grade from the SSL Server Test due to support for anonymous/insecure cipher suites.  How should I configure the SSLCipherSuite to disable the following insecure suites?

 

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_RC4_128_SHA

 

I'm running Apache 2.2.26 and OpenSSL 1.0.1f and my current SSL configuration (related to ciphers) follows the Mozilla recommndation from https://wiki.mozilla.org/Security/Server_Side_TLS:

 

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

 

With this cipher suite I'm only supporting TLS:

 

SSLProtocol -ALL +TLSv1 + TLSv1.1 +TLSv1.2

SSLHonorCipherOrder on


I've also tried the SSLCipherSuite suggested in https://community.qualys.com/thread/11852 (I know this is for Apache 2.4 but whatever doesn't work should be ignored, right?):

 

SSLProtocol all -SSLv2 -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \

EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \

EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

 

No matter what I've tried -- and I've tried excluding anonymous ECDH via !AECDH -- I still end up with an "F" due to the insecure/anonymous ciphersuites; see https://www.ssllabs.com/ssltest/analyze.html?d=www.aikanaka.com&hideResults=on

 

Can someone point me in the right direction? 

 

Thanks,

 

Dwight...

Outcomes