We originally configured Apache with this directive: SSLCipherSuite RC4-SHA
Then, then when the network scan found the vulnerability, we modify with this SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA But now we have CBC and for the security requirements we have to delete RC4, CBC, and MD5 and probably other ciphers that I can't' remember. Have you any suggestion in order to configure SSLCipherSuite to be compliant to CVE-2013-2566 Thanks in advance. Manuela Vorazzo -----Messaggio originale----- Da: Eric Covener [mailto:cove...@gmail.com] Inviato: lunedì 20 gennaio 2014 13:10 A: users@httpd.apache.org Oggetto: Re: [users@httpd] CVE-2013-2566 > The RC4 algorithm, as used in the TLS protocol and SSL protocol, has > many s= ingle-byte biases, which makes it easier for remote attackers > to conduct pl= aintext-recovery attacks via statistical analysis of > ciphertext in a large = number of sessions that use the same plaintext. http://httpd.apache.org/security_report.html You can configure Apache to not use RC4. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org *******************Internet Email Confidentiality Footer******************* Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi allegati è vietato e potrebbe costituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una comunicazione al riguardo e provvedesse nel contempo alla distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite al mittente e non possono essere necessariamente considerate come autorizzate da SIA S.p.A.; le medesime dichiarazioni non impegnano SIA S.p.A. nei confronti del destinatario o di terzi. SIA S.p.A. non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail. Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute an offence. If you are not the intended addressee please advise immediately the sender by using the reply facility in your e-mail software and destroy the message and its attachments. The statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of SIA S.p.A. Besides, The contents of this message shall be understood as neither given nor endorsed by SIA S.p.A.. SIA S.p.A. does not accept liability for corruption, interception or amendment, if any, or the consequences thereof. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
