Apache Hardening Tutorial: How to use sslscan and disable vulnerable ciphers

Disable Apache SSLv3

How to Disable Vulnerable Ciphers after Finding Them using SSLScan

If you prefer watching the Secure Apache Series video tutorial please click here.

In this tutorial i will go through SSLScan and how to use it to find available ciphers. I will then update the openssl and disable vulnerable ciphers and force to use newer ones.

sslscan will scan all the different ciphers being used in the target host, there are different versions and types of SSLs and this is where SSLscan comes to help you determine everything about them.

Older Ciphers are vulnerable to attacks and that's why it's a good practice to disable them and force to use only newer ones.

Install SSLScan

yum install sslscan

Or manually

  1. You must have git , glibc and openssl-devel installed, if you don't have them run 'yum install git gcc openssl-devel'
  2. Download the tar file from here to your linux box. Ver 1.11.10
  3. Decompress the file using 'tar xfvz file-name-tar.gz'
  4. Change folder to the one you decompressed the files and run 'make static'
  5. Run 'make install'
  6. Confirm by running 'sslscan version'

Use SSLScan for scanning available ciphers. Replace "whatever" with the domain or use an IP  and specify the port which is 443 by default.

sslscan www.whatever.com:443

Or

sslscan ip.ip.ip.ip:443

Output example:

TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

TLS renegotiation:
Secure session renegotiation supported

TLS Compression:
Compression disabled

Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.0 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA
Accepted TLSv1.0 112 bits RC4-SHA
Accepted TLSv1.0 112 bits RC4-MD5
Preferred SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 112 bits DES-CBC3-SHA
Accepted SSLv3 112 bits RC4-SHA
Accepted SSLv3 112 bits RC4-MD5

SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength: 2048

Subject: /C=US/ST=Berkshire/L=Newbury/O=HMH
Issuer: /C=US/ST=Berkshire/L=Newbury/O=HMH
Not valid before: Nov 3 23:09:29 2014 GMT
Not valid after: Oct 31 23:09:29 2024 GMT

Now you can know all the available ciphers to determine which ones to disable, you can even research each one to know which are vulnerable, it's always good practice to disable any which are below 128 bits.
Sometimes i try to run this against big names and see what ciphers they support as this will indicate you with a good practice to follow.

Disable older ciphers

vi /etc/httpd/conf.d/ssl.conf
SSLProtocol all -SSLv2 -SSLv3

Save

Restart the service

service httpd restart
systemctl restart httpd

Update your Openssl and force newer ciphers

Note: to enable newer ciphers you have to be sure that your openssl is updated and supports them or else you will get similar error to "SSLProtocol: Illegal protocol 'TLSv1.1'"

Example:

vi /etc/httpd/conf.d/ssl.conf

SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

Restart the service

service httpd restart
systemctl restart httpd


Subscribe to
for video tutorials updates