# [SOLVED] elimindate Cipher Suites sorted by strength; 40

## Joseph_sys

From 

https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca

I'm getting: 

```
Cipher Suites (sorted by strength; the server has no preference)

TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK      40

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK      40

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK      40

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK      40

TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK      56

TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK      56
```

So I'm getting "C" mark.

How to eliminate 40 bit key support?

And how to fix: 

 *Quote:*   

> The server does not support Forward Secrecy with the reference browsers

 Last edited by Joseph_sys on Sun Jun 22, 2014 3:33 am; edited 1 time in total

----------

## Duncan Mac Leod

 *Joseph_sys wrote:*   

> From 
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca
> 
> I'm getting: 
> ...

 

To get an A+ rating on this Site  :Cool: , look at my posting: https://forums.gentoo.org/viewtopic-t-990050.html

----------

## Joseph_sys

 *Duncan Mac Leod wrote:*   

> 
> 
> To get an A+ rating on this Site , look at my posting: https://forums.gentoo.org/viewtopic-t-990050.html

 

Thanks, where do I insert the blow code:

```
SSLProtocol all -SSLv2 -SSLv3

SSLCompression Off

SSLHonorCipherOrder On

SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 
```

Now I'm getting an "F" mark :-/

This server supports anonymous (insecure) suites (see below for details). Grade set to F.

```
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE      128

TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE      128

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE         112    

TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE      256
```

----------

## Duncan Mac Leod

Insert my Config-lines in: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf

I am running apache-2.2.27 and got an A+ rating. Don't know what your configs look like... - sorry!

Check your config for duplicate lines like 'SSLCipherSuite' !!

----------

## Joseph_sys

 *Duncan Mac Leod wrote:*   

> Insert my Config-lines in: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
> 
> I am running apache-2.2.27 and got an A+ rating. Don't know what your configs look like... - sorry!
> 
> Check your config for duplicate lines like 'SSLCipherSuite' !!

 

I was getting "A-" from ssl lab:

https://www.ssllabs.com/ssltest/analyze.html?d=sysconcept.ca

with this code before upgrading apache two months ago:

```
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
```

Now with apache-2.2.27 I get "C" because of weak  Cipher Strength inclusion:

```
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK      40

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK      40

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK      40

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits (p: 64, g: 1, Ys: 64)   FS   WEAK      40

TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK      56

TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK      56
```

How to eliminate it? I've tried your setting doesn't help: 

```
SSLProtocol all -SSLv2 -SSLv3

SSLCompression Off

SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
```

----------

## Joseph_sys

I got "A" grade  :Smile: 

with in httpd.conf 

```
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:EECDH:-RC4:EDH:-CAMELLIA:-SEED:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"
```

```
Certificate  100

Protocol Support 95

Key Exchange 80

Cipher Strength 90
```

----------

## Joseph_sys

I got an "A" but I'm still getting some errors from SSL Lab:

```
Handshake Simulation

IE 6 / XP   No FS 1     No SNI 2      Protocol or cipher suite mismatch    Fail3

IE 8 / XP   No FS 1     No SNI 2      Protocol or cipher suite mismatch    Fail3

(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version
```

----------

## freke

I get A+ with:

```
SSLProtocol ALL -SSLv2 -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
```

Gives me:

```
Protocol Support 95

Key Exchange 100

Cipher Strength 90
```

It fails handshake simulation for IE6/XP and Java6u45 - not clients I'm interested in serving anyway  :Wink: 

Apache 2.4.9-r3 + OpenSSL 1.0.1h-r1 both from portage

----------

## Joseph_sys

 *freke wrote:*   

> I get A+ with:
> 
> ```
> SSLProtocol ALL -SSLv2 -SSLv3
> 
> ...

 

Which file do you keep these setting in?

When I put them in 00_default_ssl_vhost.conf I get "C" rating, it means something is not getting activated.

So I put them in "httpd.conf" and I get "A+" as well.

How do you get key exchange 100? With your setting I only get key echange 80

 *Quote:*   

> Certificate 100
> 
> Protocol Support 95
> 
> Key Exchange 80
> ...

 

In addition you forgot to mention that in order to get "A+" one need to have in vhosts.conf

under: 

```
NameVirtualHost *:443

...

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

...

```

----------

## Duncan Mac Leod

AFAIK you cannot get A+ on https://www.ssllabs.com/ssltest/index.html with all 4 (Certificate, Protocol Support, Key Exchange and Cipher Strength) set to 100% ...

----------

## freke

I only remember modifying 00_default_ssl_vhost.conf:

```
Listen 443

SSLStaplingCache shmcb:/var/log/apache/ssl_gcache_data(512000)

..

<VirtualHost _default_:443>

..

 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

 SSLEngine on

 SSLProtocol ALL -SSLv2 -SSLv3

 SSLHonorCipherOrder on

 SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS

 SSLUseStapling on

 SSLCompression off

..

</VirtualHost>
```

On further investigating my system I see that SSLCompression is off by default (in /etc/apache/modules.d/40_mod_ssl.conf)

----------

## Ant P.

Just to add my 2¢:

On servers where I don't care about winxp, I use "TLSv1.2+HIGH+kEECDH:TLSv1.2+HIGH+kEDH:!AES128:!aNULL:!eNULL" along with disabling SSLv2/3, which is kind of overkill but (hopefully) very safe. It gets me a theoretical A rating on that test (would be A+ except I'd need to screw with DH params and I don't know what I'm doing there).

For places where I need a bit more compatibility (specifically because some lameness in the TLS stack on my android phone prevents me accessing my own IM account) I use "TLSv1.2+HIGH+kEECDH:TLSv1.2+HIGH+kEDH:TLSv1+HIGH:!AES128:!3DES:!CAMELLIA:!aNULL"

----------

