AnsweredAssumed Answered

SSL Report Says Server is Using RC4 Ciphers, But I Don't Think Any Are Set on Server

Question asked by Carey Hildebrand on May 3, 2015
Latest reply on May 31, 2015 by Carey Hildebrand

Hello,

 

Hopefully someone can help me understand why the ssllabs server analysis report says that I still have RC4 ciphers active on my apache server, when I don't appear to have any set in my SSLCipherSuite directive in the ssl.conf file.  It's a CentOS 6.5 virtual server on AWS, running apache.

 

My SSLCipherSuite directive is set to this:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

 

The report lists 31 active ciphers with these 3 RC4 marked as weak:

TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   WEAK     128

TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK     128

TLS_RSA_WITH_RC4_128_MD5 (0x4)   WEAK     128

 

As another test, I ran a script I found online, that tests for active OpenSSL ciphers.  The script is as follows:

#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=<domain OR ip>:<port>
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
  echo YES
else
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

 

It found the following active ciphers:

Testing ECDHE-RSA-AES256-GCM-SHA384...YES

Testing ECDHE-RSA-AES256-SHA384...YES

Testing ECDHE-RSA-AES256-SHA...YES

Testing DHE-RSA-AES256-GCM-SHA384...YES

Testing DHE-RSA-AES256-SHA256...YES

Testing DHE-RSA-AES256-SHA...YES

Testing DHE-RSA-CAMELLIA256-SHA...YES

Testing ECDHE-RSA-AES128-GCM-SHA256...YES

Testing ECDHE-RSA-AES128-SHA256...YES

Testing ECDHE-RSA-AES128-SHA...YES

Testing DHE-RSA-AES128-GCM-SHA256...YES

Testing DHE-RSA-AES128-SHA256...YES

Testing DHE-RSA-AES128-SHA...YES

Testing DHE-RSA-SEED-SHA...YES

Testing DHE-RSA-CAMELLIA128-SHA...YES

 

None of the cipher names imply they use RC4.  And none of the 3 RC4 cipher names that ssllabs report shows seem to be in the list that this script outputs.

 

Maybe someone can tell me what I'm missing or not understanding, that would cause the ssllabs report to say my server is still using RC4 ciphers, but my ssl.conf file doesn't appear to have any listed, and this other script doesn't appear to list any RC4 ciphers.

 

Thanks to anyone that can shine some constructive insight onto this for me.

Outcomes