Hi Robert, 2018-01-16 10:21 GMT+01:00 Robert S <robert.spam.me.sensel...@gmail.com>:
> Hi. > > I have run a server test on > https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp. It > reports that my certificate is installed correctly but the server is > vulnerable to a BEAST attack. It says "Make sure you have the TLSv1.2 > protocol enabled on your server. Disable the RC4, MD5, and DES > algorithms. Contact your web server vendor for assistance." > > I believe that I have disabled these protocols - here are the relevant > lines in my config: > > SSLEngine on > SSLProtocol ALL -SSLv2 -SSLv3 > SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256: > ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE- > ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256: > AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:AES: > CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:! > PSK:!EDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3- > SHA:!KRB5-DES-CBC3-SHA" > SSLHonorCipherOrder On > > Can anyone help here? > IIRC a permanent solution for BEAST was to disable TLS 1.0, but I'd check https://mozilla.github.io/server-side-tls/ssl-config-generator/ and see how the above SSLCipherSuite setting can be changed to be up to date. Hope that helps, Luca
