ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


SSL_Weak Cipher Suites Supported

Security Metrics may claim that the acceptance of weak ciphers represents a risk to your system. They also note/admit that it is easier to make such an attack if the attacker is on the same network.

The risk here is that the traffic between your secure (https) server and the client can be decrypted if LARGE quantities of data between the server and the client can be recorded. Hackers must already have control of systems in between your system and the requesting client. Even if this situation is true, the data stream is the only aspect of the compromise. If that data is supposed to be otherwise protected by compliance, then that is the risk. A compromise of the server itself is not necessarily at risk unless this method record management transactions.

You can choose to fix this but there is a consequence. Namely, older web browsers may not be capable of working with your system. If you can reliably assume that all web traffic to your secure web server site is using modern browsers only, you can safely disable older ciphers.

ClearCenter response

If your web server is not on the same network as any potential attacker (for example, it is on an ISP with ONLY your devices or if your LAN users are not potential threats include this statement:

  • This ClearOS server does not have other machines on the network that are untrusted and thereby able to perform an attack.

If your web site requires that older web browsers be able connect to your web services, include the following:

  • The server requires compatibility with older web browsers that may not have support for heavier ciphers.

Resolution

If you want to change the behavior of your web server to ONLY allow stronger encryption, perform the following steps:

First, take a look at what a weak connection looks like by running the following:

openssl s_client -connect localhost:443 -cipher LOW:EXP

This should give you a long and valid response. Second, connect to your server via command line and modify the following file using your favorite editor (i.e. nano, vi, emacs, et al). Modify the /etc/httpd/conf.d/ssl.conf file.

vi /etc/httpd/conf.d/ssl.conf

Change this line:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

to this:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Third, save the file and restart the httpd service.

service httpd restart

Fourth, connect again to the httpd service using the same command as before:

openssl s_client -connect localhost:443 -cipher LOW:EXP

You should get rejected this time. Now try with only medium to high levels of encryption:

openssl s_client -connect localhost:443 -cipher MED:HIGH

You should get a connection and a lot of output just like at the first, but this time it is more secure.

content/en_us/kb_3rdparty_security_metrics_ssl_weak_cipher_suites_supported.txt · Last modified: 2015/01/29 09:03 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_3rdparty_security_metrics_ssl_weak_cipher_suites_supported&1563787180