That configuration looks to me like it says NOT CBC or MD5. Can you confirm whether the server is actually accepting CBC or MD5 ciphers? A tool like https://www.ssllabs.com/ssltest/index.html can tell you if your server is publicly accessible.
- Y Sent from a gizmo with a very small keyboard and hyperactive autocorrect. On Jan 20, 2014 7:30 AM, "Vorazzo Manuela" <manuela.vora...@sia.eu> wrote: > We originally configured Apache with this directive: > > SSLCipherSuite RC4-SHA > > Then, then when the network scan found the vulnerability, we modify with > this > > SSLCipherSuite > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA > > But now we have CBC and for the security requirements we have to delete > RC4, CBC, and MD5 and probably other ciphers that I can't' remember. > > Have you any suggestion in order to configure SSLCipherSuite to be > compliant to CVE-2013-2566 > > > Thanks in advance. > > > Manuela Vorazzo > > > -----Messaggio originale----- > Da: Eric Covener [mailto:cove...@gmail.com] > Inviato: lunedì 20 gennaio 2014 13:10 > A: users@httpd.apache.org > Oggetto: Re: [users@httpd] CVE-2013-2566 > > > The RC4 algorithm, as used in the TLS protocol and SSL protocol, has > > many s= ingle-byte biases, which makes it easier for remote attackers > > to conduct pl= aintext-recovery attacks via statistical analysis of > > ciphertext in a large = number of sessions that use the same plaintext. > > http://httpd.apache.org/security_report.html > > You can configure Apache to not use RC4. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > *******************Internet Email Confidentiality Footer******************* > Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi > allegati è vietato e potrebbe costituire reato. Se ha ricevuto per errore > il presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una > comunicazione al riguardo e provvedesse nel contempo alla distruzione del > messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute > nel presente messaggio nonche' nei suoi eventuali allegati devono essere > attribuite al mittente e non possono essere necessariamente considerate > come autorizzate da SIA S.p.A.; le medesime dichiarazioni non impegnano SIA > S.p.A. nei confronti del destinatario o di terzi. SIA S.p.A. non si assume > alcuna responsabilita' per eventuali intercettazioni, modifiche o > danneggiamenti del presente messaggio e-mail. > > Any unauthorized use of this e-mail or any of its attachments is > prohibited and could constitute an offence. If you are not the intended > addressee please advise immediately the sender by using the reply facility > in your e-mail software and destroy the message and its attachments. The > statements and opinions expressed in this e-mail message are those of the > author of the message and do not necessarily represent those of SIA S.p.A. > Besides, The contents of this message shall be understood as neither given > nor endorsed by SIA S.p.A.. SIA S.p.A. does not accept liability for > corruption, interception or amendment, if any, or the consequences thereof. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
