PCI Compliant Web Hosting and Managed Service Provider
Hosting Solutions since 1995

SSL Beast and RC4-SHA

Author: ; Published: Sep 19, 2012; Category: Managed Hosting, Managed Services, PCI Compliance; Tags: , , , ; 3 Comments

Beast-Browser-Exploit-Against-SSLTLSWhile there are a growing number of technical articles on how to protect your Apache based server against the SSL Beast, I’ve yet to see an article that goes into the SSL Cipher Suite that should be used for allowing only RC4-SHA and nothing else.

This past weekend, I found out that some authorized PCI Compliance Scanning vendors will only grant you PCI Compliance status if your SSL Beast protection setup only allows for RC4-SHA and nothing else.

 If you have such a vendor, then the following are the settings you would use in your Apache 2 httpd.conf configuration file:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM
SSLHonorCipherOrder on                      

You can test your settings by running the following (preferably on another server):

openssl s_client -connect [ssl public machine]:443 -cipher RC4-SHA
openssl s_client -connect [ssl public machine name]:443 -cipher DES-CBC3-SHA
openssl s_client -connect [ssl public machine name]:443 -cipher AES256-SHA

And so on for the various ciphers; only the RC4-SHA should connect.

If you know of a more elegant way to adjust the SSLCipherSuite to only allow RC4-SHA please let us know using the comment form below.

Peter Abraham
Former CEO of Dynamic Net, Inc. Will be transitioning to a new career in the near future.
Peter Abraham

@

Peter Abraham

3 Responses to “SSL Beast and RC4-SHA”

  1. Alex says:

    For an alternative config against BEAST, you can use this:

    SSLProtocol all -SSLv2
    SSLHonorCipherOrder On
    SSLInsecureRenegotiation Off
    SSLCipherSuite RC4-SHA:HIGH:!ADH

    Regards!

  2. Afeef says:

    Is there any way to reorder the Cipher suite in Windows 2003 apart from disabling the Block Ciphers.

Leave a Comment