AnsweredAssumed Answered

Increase security from C to A or B

Question asked by |Mark| on Apr 12, 2014
Latest reply on Apr 15, 2014 by Lloyd_Day

Hi,

i have scan my website on Qualys SSL Labs and are C on results.

 

Certificate 100%

Protocol support 90%

 

Key Exchange 40%

Cipher Strength 60%

 

I want fix the Key Exchange and the Cipher Stregth but i don't know what to do, i suppose i have to edit the Apache configuration file?

 

In the reports i can see:

Cipher Suites (sorted by strength; the server has no preference) maybe this is to fix also,

under this i can see:

 

TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK40
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK56

 

 

How can i fix this? Key Exchange and Cipher Strength?


Maybe can i solve with this? (http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html)

 

How can I create an SSL server which accepts strong encryptiononly, but allows export browsers to upgrade to stronger encryption?

 

This facility is called Server Gated Cryptography (SGC) and requires     a Global ID server certificate, signed by a special CA certificate     from Verisign. This enables strong encryption in 'export' versions of     browsers, which traditionally could not support it (because of US export     restrictions).

 

When a browser connects with an export cipher, the server sends its Global    ID certificate. The browser verifies this, and can then upgrade its    cipher suite before any HTTP communication takes place. The problem     lies in allowing browsers to upgrade in this fashion, but still requiring    strong encryption. In other words, we want browsers to either start a     connection with strong encryption, or to start with export ciphers but     upgrade to strong encryption before beginning HTTP communication.

 

This can be done as follows:

 

httpd.conf

      # allow all ciphers for the initial handshake,
      # so export browsers can upgrade via SGC facility
      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
     
      <Directory /usr/local/apache2/htdocs>
      # but finally deny all browsers which haven't upgraded
      SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
      </Directory>   

 

But i don't know what i have to replace if this is good. Thanks for who will help me.

Outcomes