July 23, 2018 158 Views 0 Comment

Disable 3DES SSL Ciphers in Apache on Centos 7

SHARE THIS ARTICLE

A very popular Web Site Security Audit tool I use to keep track of vulnerabilities as they develop on my website is a service called ScanMyServer. It’s a useful yet inexpensive online tool that does exactly what it promises. It automatically scans a website and emails a full security report that includes a score and letter grade based on the results.

A recent discovery the tool picked up was a weak cipher alert:
Sweet32 Birthday Attacks on 64-bit Block Ciphers in TLS and OpenVPN (DES-CBC3)

Summary

This test detects SSL ciphers DES-CBC3 supported by the remote service for encrypting communications.

Solution

Disable 3DES SSL Ciphers in Apache

Disabling 3DES ciphers in Apache is about as easy too. Find where your ciphers are defined with the following command (again, presuming your Apache config is in /etc/httpd/):


<grep -r "SSLCipherSuite" /etc/httpd/>

Once you’ve found the file containing your cipher suite, make sure it contains ‘!3DES’. As of today, this is a suitable list:


SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES

After changing your cipher suite, test your config (httpd -t) and restart the service in question (service httpd restart).