Disable 3DES SSL Ciphers in Apache on Centos 7
A very popular Web Site Security Audit tool I use to keep track of vulnerabilities as they develop on my website is a service called ScanMyServer. It’s a useful yet inexpensive online tool that does exactly what it promises. It automatically scans a website and emails a full security report that includes a score and letter grade based on the results.
A recent discovery the tool picked up was a weak cipher alert:
Sweet32 Birthday Attacks on 64-bit Block Ciphers in TLS and OpenVPN (DES-CBC3)
Summary
This test detects SSL ciphers DES-CBC3 supported by the remote service for encrypting communications.
Solution
Disable 3DES SSL Ciphers in Apache
Disabling 3DES ciphers in Apache is about as easy too. Find where your ciphers are defined with the following command (again, presuming your Apache config is in /etc/httpd/):
<grep -r "SSLCipherSuite" /etc/httpd/>
Once you’ve found the file containing your cipher suite, make sure it contains ‘!3DES’. As of today, this is a suitable list:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES
After changing your cipher suite, test your config (httpd -t) and restart the service in question (service httpd restart).
Join the Newsletter
Sign up for our personalized daily newsletter