Hello friends,

I recently scanned our domain Qualys SSL lab and found out that we have 2
problems as listed below :

1) This server is vulnerable to the POODLE attack. If possible, disable SSL
3 to mitigate. Grade capped to C
2) This server accepts RC4 cipher, but only with older protocol versions.
Grade capped to B.

Our server runs Debian X64 with Apache 2.2 as a load-balancer and fail-over
for 2 tomcat instances. So I configured the settings for both Apache and
Tomcat for both these problems. Here are the changes I made, but I still
keep getting the two errors I mentioned above. What am I doing wrong?

Changes to mods-available/ssl.conf :

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on

Changes to 8443 connector for TOmcat :

<Connector port="8443" enableLookups="true"
> protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
> maxThreads="200" compression="off"
>             sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> compressionMinSize="1024" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS"
>                 keystoreFile="/path/to/file.keystore"
> keystorePass="PASSWORD" URIEncoding="utf-8"/>

I would really like to use compression, but because the links I found
suggested to disable compression, I have disabled them. Can I use
compression with SSL disabled, how are they both related?

Still, I keep getting the above 2 errors. What am I missing? If any more
information is required, kindly let me know…Kindly let me know. Thank you,.

Reply via email to