{"id":5115,"date":"2018-03-08T09:18:41","date_gmt":"2018-03-08T14:18:41","guid":{"rendered":"http:\/\/www.carnaghan.com\/?p=5115"},"modified":"2018-03-08T09:18:41","modified_gmt":"2018-03-08T14:18:41","slug":"ssl-labs-rating-woes","status":"publish","type":"post","link":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/","title":{"rendered":"SSL Labs Rating Woes"},"content":{"rendered":"
I was recently notified that one of the sites I support was getting a ‘C’ rating on SSL Labs<\/a>. It turned out that there were three main issues that needed to be resolved. Two out of the three were relatively easy to find via the SSL Labs documentation, which required simple fixes to the ssl.conf file.<\/p>\n The third issue, however, was not quite as straightforward:\u00a0This server accepts RC4 cipher, but only with older protocols<\/strong>. I found a number of helpful articles on this stating that by adding !RC4 to exclude RC4 in SSLCipherSuite, will result in mitigation of this vulnerability. I spent quite a bit of time trying different cypher\u00a0list combinations and always including !RC4, however no matter how many times I tweak this, restart httpd\u00a0and revisit SSL Labs, I kept getting the annoying ‘B’ grade and RC4 complaint. For anyone facing similar issues, I highly recommend reading\u00a0Hardening Your Web Server\u2019s SSL Ciphers<\/a>.<\/p>\n In the end, the problem I was facing was due to the fact I had a seperate\u00a0vhosts\u00a0file. I found the solution to my problem described in this very helpful entry on SuperUser,\u00a0Disabling RC4 in the SSL cipher suite of an Apache server<\/a>. The solution described here is to add the SSLCipherSuite specification in the Apache Directives textarea for each vhost. In my case, I had to add my SSLProtocol, SSLHonorCipherOrder, and SSLCypherSuite entries from ssl.conf into my vhosts file under my <virtualHost> tag. As the author of this post comments, it seems strange that it needs to be specified here also. Regardless if you are facing issues getting rid of RC4 and you are running vhosts, be sure to add your entries to your vhosts.conf file in addition to ssl.conf! Hopefully my wasted morning will benefit others.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" I was recently notified that one of the sites I support was getting a ‘C’ rating on SSL Labs. It turned out that there were three main issues that needed to be resolved. Two out of the three were relatively easy to find via the SSL Labs documentation, which required simple fixes to the ssl.conf […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,356],"tags":[],"post_series":[],"yoast_head":"\n\n