The past few days I’ve been struggling to find a solution to my problem.
I’ve done everything I possibly can in order to get my virtualmin (Centos 6.5) to pass a BEAST (CVE 2011-3389) scan, yet it is always failing.
From what I can tell openssl openssl-1.0.1e-16.el6_5.15.x86_64 or apache 2.2 doesn’t support specifying to use TLSv1.2.
My current httpd.conf:
SSLProtocol -ALL +SSLv3
SSLHonorCipherOrder on
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLInsecureRenegotiation off
If I remove +SSLv3 and replace with TLSv1.2 it fails to start. I have tried just about every combination to get this to work but it always comes back as susceptible.
What should I do?
Do I implement a new version of Apache (2.4?) OpenSSL (latest) or both?
Is there a combination or recommended method that will make my current setup (and probably a lot of others using virtualmin) to pass a BEAST scan?
So I tried to install apache 2.4 and the config files from 2.2 aren’t compatible with 2.4…
Would appreciate any guides or recommendations, otherwise I’ll have to change systems.
I know you said find a different PCI company, unfortunately it’s my CC processing company that is insisting I use this one.
My scans indicate I am vulnerable and if I am not compliant by the end of the month, I will have to pay ridiculous charges to offset the CC companies risk.
Waiting for your reply, this is beyond my ability or understanding at this point.
You may want to get the opinion of the Virtualmin community, as I’m the only one who sees this if you mark it as private
I’d suggest not marking posts as private, as I unfortunately can’t respond to each post, and a lot of folks here in the community may both have useful information for you, as well as would benefit from your ultimate solution.
You mentioned that you’re using the ssllabs site though, you may want to review their blog post on how they’d recommend mitigating beast:
Okay I figured it out and I have a headache now :S
So basically, all the links I’ve come across - even the one you provided are including compromised ciphers that are no longer secure.
After much digging and reading, basically you want to enable compliant cipher suites. So going one by one figuring out which one is compatible with the version of openssl you have and enable it.
These are recommended ciphers for Windows 8.1 with IE 11, the ones that are Forward Secrecy are the ones I aimed for since I was getting a lower score with the other ciphers that did not include them.
Not sure why no one has spoken or blogged about this…
Anyway, looks like I’m OK (for now) - will keep an eye out for the latest version of Virtualmin that will be compatible with CentOs 7 so I can get the semi latest version of Apache.