Hello friends, I recently scanned our domain Qualys SSL lab and found out that we have 2 problems as listed below :
1) This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C 2) This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B. Our server runs Debian X64 with Apache 2.2 as a load-balancer and fail-over for 2 tomcat instances. So I configured the settings for both Apache and Tomcat for both these problems. Here are the changes I made, but I still keep getting the two errors I mentioned above. What am I doing wrong? Changes to mods-available/ssl.conf : SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT Changes to 8443 connector for TOmcat : <Connector port="8443" enableLookups="true" > protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" > maxThreads="200" compression="off" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" > compressionMinSize="1024" scheme="https" secure="true" clientAuth="false" > sslProtocol="TLS" > keystoreFile="/path/to/file.keystore" > keystorePass="PASSWORD" URIEncoding="utf-8"/> > I would really like to use compression, but because the links I found suggested to disable compression, I have disabled them. Can I use compression with SSL disabled, how are they both related? Still, I keep getting the above 2 errors. What am I missing? If any more information is required, kindly let me know…Kindly let me know. Thank you,.
