How to detect and disable weak ciphers and SSL 2.0/3.0 in Apache and IIS (PCI Compliance, poodlebleed)

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
# test for sslv2
$ openssl s_client -connect localhost:443 -ssl3

# disable sslv2 in apache
SSLProtocol -ALL +SSLv3 +TLSv1

# and in iis
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols{PCT 1.0,SSL 2.0}Server]
"Enabled"=dword:00000000

# test for weak ssl ciphers
$ openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

# disable weak ssl ciphers in apache
$ SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

# and in iis
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers{DES 56/56,NULL,RC2 40/128,RC2 56/128,RC4 40/128,RC4 56/128,RC4 64/128}]
"Enabled"=dword:00000000
# either enable all except sslv2/3
SSLProtocol All -SSLv2 -SSLv3

# or disable everything except tlsv1.x
(el6) SSLProtocol -All +TLSv1
(el7) SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

# and for ngix
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# and in iis
[HKey_Local_MachineSystemCurrentControlSetControlSecurityProviders SCHANNELProtocolsSSL 3.0Server]
"Enabled"=dword:00000000
$ sudo yum install sslscan (epel) | sudo apt-get install sslscan
$ sslscan <host>
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s