Developers Documentation

×

Warning

0 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


SSL Medium Strength Cipher Suites Supported

Security Metrics, and other analysis companies may claim that the acceptance of medium strength ciphers represents a risk to your system. They also note/admit that it is easier to make such an attack if the attacker is on the same network.

The risk here is that the traffic between your secure (https) server and the client can be decrypted.

You can choose to fix this but there is a consequence. Namely, older web browsers may not be capable of working with your system. If you can reliably assume that all web traffic to your secure web server site is using modern browsers only, you can safely disable older ciphers.

ClearCenter response

If your web server is not on the same network as any potential attacker (for example, it is on an ISP with ONLY your devices or if your LAN users are not potential threats include this statement:

  • This ClearOS server does not have other machines on the network that are untrusted and thereby able to perform an attack.

If your web site requires that older web browsers be able connect to your web services, include the following:

  • The server requires compatibility with older web browsers that may not have support for heavier ciphers.

Resolution

If you want to change the behavior of your web server to ONLY allow strong encryption, perform the following steps:

First, take a look at what a weak connection looks like by running the following:

openssl s_client -connect localhost:443 -cipher MEDIUM

This should give you a long and valid response. Second, connect to your server via command line and modify the following file using your favorite editor (i.e. nano, vi, emacs, et al). Modify the /etc/httpd/conf.d/ssl.conf file.

vi /etc/httpd/conf.d/ssl.conf

Change this line:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

to this:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:!MEDIUM:+HIGH

Third, save the file and restart the httpd service.

service httpd restart

Fourth, connect again to the httpd service using the same command as before:

openssl s_client -connect localhost:443 -cipher MEDIUM

You should get rejected this time. Now try with only high levels of encryption:

openssl s_client -connect localhost:443 -cipher HIGH

You should get a connection and a lot of output just like at the first, but this time it is more secure.

content/en_us/kb_3rdparty_security_metrics_ssl_medium_strength_cipher_suites_supported.txt · Last modified: 2015/01/29 09:49 (external edit)

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_3rdparty_security_metrics_ssl_medium_strength_cipher_suites_supported&1568704957