I have few websites which are behind firewall and have a Barracuda loadbalancer incorporated for loadbalancing the web request between two apache servers.
Recently, company's security team raised alert for weak SSL configuration. I being a novoice in SSL, did some surfing and adjusted the following on both of my web servers.
- Disabled SSLv2 and disabled SSLv3
- Enabled TLSv1.1 and TLSv1.2
- Added the new strong cipher
My apache version is 2.2.15 and ssl version 1.0.1e-fips.
but still in the ssl test, I am getting "F" rating with below mentioned shortcomings.
- SSLv2 enabled
- Vulnerable to BEAST attack
- Cipher strength weak
- HTTP strict-transport-security should be enabled ( not supported with current version of apache)
SSL version check on local system yeilds SSLv2 and SSLv3 is disabled.
I suspect, due to barracuda load-balancer, I am getting such rating. Can you please help me in proving me right.