Discussion about usage and installation of the Apache HTTP server

Tom Browder | 7 Aug 2012 14:14

Two SSL directives appear to be not working with SSL Labs server test

I have been checking my Apache 2.2.14 server with this link:

  https://www.ssllabs.com/ssltest/index.html

I am trying to improve my SSL Labs security score but can't beat 85.
I am running Apache 2.2.14 (from Ubuntu's package).

I get the following scores:

  Certificate              100
  Protocol support       85
  Key exchange          80
  Cipher exchange      90

The test report shows:

  This server is vulnerable to the BEAST attack.
  Certificate Key RSA/4096 bits
  Cipher Suites (sorted by strength; server has no preference)
    TLS_RSA_WITH_RC4_128_MD5 (0x4)	128
    TLS_RSA_WITH_RC4_128_SHA (0x5)	128
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g:
1, Ys: 128)	128
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)	168
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128,
g: 1, Ys: 128)	168
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g:
1, Ys: 128)	256

(Continue reading)

headers

Eric Covener | 7 Aug 2012 14:46

Re: Two SSL directives appear to be not working with SSL Labs server test

On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder <at> gmail.com> wrote:
> I have been checking my Apache 2.2.14 server with this link:
>
>   https://www.ssllabs.com/ssltest/index.html
>
> I am trying to improve my SSL Labs security score but can't beat 85.
> I am running Apache 2.2.14 (from Ubuntu's package).
>
> I get the following scores:
>
>   Certificate              100
>   Protocol support       85
>   Key exchange          80
>   Cipher exchange      90
>
> The test report shows:
>
>   This server is vulnerable to the BEAST attack.
>   Certificate Key RSA/4096 bits
>   Cipher Suites (sorted by strength; server has no preference)

I'm not sure how the tool can make that determination. SSLv3-and-later
allows the server to pick any cipher out of the intersection of what's
supported by both ends

>     TLS_RSA_WITH_RC4_128_MD5 (0x4)      128
>     TLS_RSA_WITH_RC4_128_SHA (0x5)      128
>     TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
>     TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g:
> 1, Ys: 128)     128

(Continue reading)

headers

Tom Browder | 7 Aug 2012 15:05

Re: Two SSL directives appear to be not working with SSL Labs server test

On Tue, Aug 7, 2012 at 7:46 AM, Eric Covener <covener <at> gmail.com> wrote:
> On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder <at> gmail.com> wrote:
>> I have been checking my Apache 2.2.14 server with this link:
>>
>>   https://www.ssllabs.com/ssltest/index.html
...
>>   Cipher Suites (sorted by strength; server has no preference)
>
> I'm not sure how the tool can make that determination. SSLv3-and-later
> allows the server to pick any cipher out of the intersection of what's
> supported by both ends

According to the site's docs (a post by Ivan Ristic), they do this, quote:

In the nutshell, here is what we do:

1. Send a list of cipher suites we wish to test (the list contains
only the suites we know are supported)

2. If the server selects a suite that's not first on the list, we know
it has a preference for it

3. If the server selects a sute that is first on the list, we put it
at the end of the list and send the list again (if the server really
has a preference for that suite, it will choose it even when the suite
is at the bottom of the list.

4. We remove the selected suite from the list and repeat the process
until we run out of suites

(Continue reading)