I've got Apache in front of A4D. A few weeks ago I generated self-signed
SSL certs for 3 virtual hosts on my development server. The
institutional IT folks scanned the machine with Nessus or WebInspect
over the weekend and dinged me for having week encryption ciphers
enabled. By default Apache will enable every cipher suite. The result is
the weak ones (40 bit) are exposed.
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA
Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA
Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA
Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA
Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA
Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA
Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA
Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA
Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
I found various solutions for fixing this problem via Google and in an
Apache book.
Basically you disable the ciphers via these directives.
SSLProtocol
SSLCipherSuite
The problems is I suspect the solutions I found aren't Mac OS X specific
because when I restarted Apache after installing them things got very
ugly. I've spent the day getting the server so it will start and back to
where it was.
Has anyone here tackled this problem and if so would you mind sharing
your settings?
Thanks,
Brad Perkins
_______________________________________________
Active4D-dev mailing list
[email protected]
http://mailman.aparajitaworld.com/mailman/listinfo/active4d-dev
Archives: http://mailman.aparajitaworld.com/archive/active4d-dev/
