Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389
Checked my server at ssllabs.com (great tool to check your SSL by the way) and it reports:
Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3.0 Yes
SSL 2.0 No
SSL Labs seems to indicate that my current configuration is ok, and is “best practice”:
• TLS v1.1 and v1.2 are without known security issues. Unfortunately, many server and client
platforms do not support these newer protocol versions.
The best practice is to use TLS v1.0 as your main protocol (making sure the BEAST attack is mitigated in
configuration, as explained in subsequent sections) and TLS v1.1 and v1.2 if they are supported by your
server platform. That way, the clients that support newer protocols will select them, and those that don’t
will fall back to TLS v1.0.
You should always use the most recent versions of the protocol for security and the oldest (yet still
secure) versions for interoperability with your customer base.
However, SecurityMetrics thinks otherwise. How can I fix this to become PCI compliant without breaking my server?
The above have this message:
Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389
Also these services:
TCP 587 submission
TCP 25 smtp
Which have this message:
Resolution: Configure the service to support less secure authentication mechanisms only over an encrypted channel. Risk Factor: Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C:P/I:N/A:N
Chances are that you’d need to do more than just install a newer version of OpenSSL… you’d probably also need to compile Apache against that particular OpenSSL version.
I haven’t tried what you’re trying to do before, and there may be other gotchas as well… but if just installing a newer OpenSSL version doesn’t allow you to use the ciphers you need, you may need to recompile Apache.
And that’s a pretty big project
Is using a newer CentOS distro (ie, CentOS 6) an option?
But, it should indeed be possible to recompile Apache.
I have virtualmin running under Centos 6.x with apache 2.2 ( std ) and openssl 1.0.1e-fips ( std ). According to all googling, opnessl 1.0.1e should support tls v1.2 but from an ssllabs/symantec scan, my setup is still only showing tls1.0 as being available and 1.1/1.2 as being off. My settings are:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:-MEDIUM:-LOW
Try this SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
It should give you at least score -A. I did this as trade off to support some other things otherwise if you play a little with SSLCipherSuite you can push to +A.