Hi all, We have created a URL with apache as web server. When we try to test our site's certificate, we found the below ciphers are week . We tried to disable in the apache web server. But no luck. Is that possible for us to eliminate at VIP. What is the configuration I have to set to disable the below ciphers in apache web server. Need your help and comments. Thanks in Advance
Ciphers which needs to be disabled.
------------------------------------------------
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
In Apache httpd ciphers are set in SSLCipherSuite directive. Ciphers are delimited by space or by semicolon (what ever you choose). To disable ciphers you need to add "exclamation mark" in front of cipher.
You most probably use Apache with OpenSSL library. The thing is OpenSSL uses its own ciphers names, but ssllabs test displays official standard TLS names. So look at the ssllabs.com cipher name you would like to disable like: TLS_RSA_WITH_3DES_EDE_CBC_SHA and then look for a matching OpenSSL name in
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
and you get DES-CBC3-SHA.
Now in Apache httpd SSLCipherSuite existing parameter value add:
1. space or semicolon to delimiter ciphers,
2. "exclamation mark" to negate cipher selection
3. cipher you would like to negate e.g. DES-CBC3-SHA
4. repeat steps from 1 to 3 for each of the cipher you wold like to disable.
Final result you are looking for should be:
SSLCipherSuite "current_cipher_list !DES-CBC3-SHA !ECDHE-RSA-DES-CBC3-SHA"