Disable SSL Medium Strength Cipher Suites

July 10, 2021

NESSUS tool found below vulnerability on the scan of a server.

42873 – SSL Medium Strength Cipher Suites Supported

 

Synopsis

The remote service supports the use of medium strength SSL ciphers.

 

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths of at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.

Solution

Disable SSL Medium Strength Cipher Suites

Follow the steps given below to disable SSL medium strength cipher suites support on an Apache web server:

  • First, see the list of SSL Cipher Suites configured on your server. Here my server has the followings list of SSLCipherSuite as shown below: 
    # cat /etc/httpd/conf.d/ssl.conf

.
.
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
.
.
  • The above list shows that SSL Medium Cipher Suites ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA and DES-CBC3-SHA are enabled.
  • To disable these SSL Medium Cipher Suites, edit the /etc/httpd/conf.d/ssl.conf file and make the SSL Cipher Suites list as shown below: 
    # vi /etc/httpd/conf.d/ssl.conf

.
.
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
.
.
  • Restart the HTTP service using the below command. 
    # systemctl restart httpd.service
  • Now, SSL medium strength cipher suites have been disabled on your server. You may verify it by running the NESSUS tool once again.

Reference:

Last Updated: July 10, 2021
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.