Wednesday, May 23, 2018

Fixes Ciphers on Apache httpd server

I thought I would just make a note of the steps to check what cipher I was running on our web server and to see how to remove any old/weak ones.

Ref:

Last time I checked out SSL Server Test our web server got a A rating, but yesterday I checked it again and got a B rating. Guess since last time some ciphers have become unsafe, so here are the steps  I did to remove  some weak ciphers (i.e. TLS_RSA_WITH_AES_128_CBC_SHA)

Using ssl-enum-ciphers you can find out what you quickly what you are using:
 # nmap --script ssl-enum-ciphers -p 443 www.dcs.bbk.ac.uk  
 Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-23 09:33 BST  
 Nmap scan report for www.dcs.bbk.ac.uk (193.61.29.1)  
 Host is up (0.00028s latency).  
 PORT  STATE SERVICE  
 443/tcp open https  
 | ssl-enum-ciphers:   
 |  TLSv1.2:   
 |   ciphers:   
 |    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A  
 |    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A  
 |    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A  
 |    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A  
 |    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A  
 |    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A  
 |    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A  
 |    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A  
 |    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A  
 |    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A  
 |    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A  
 |    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A  
 |    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A  
 |    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A  
 |    TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A  
 |    TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A  
 |    TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A  
 |    TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A  
 |    TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A  
 |    TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A  
 |    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A  
 |    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A  
 |   compressors:   
 |    NULL  
 |   cipher preference: client  
 |_ least strength: A  
 Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds  
A quick visit to Mozilla SSL Configuration Generator to find out what setting I should be using for SSLProtocol, SSLCipherSuite and then after updating apache configure file I can check nmap again.
 # nmap --script ssl-enum-ciphers -p 443 www.dcs.bbk.ac.uk  
 Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-23 10:10 BST  
 Nmap scan report for www.dcs.bbk.ac.uk (193.61.29.1)  
 Host is up (0.00026s latency).  
 PORT  STATE SERVICE  
 443/tcp open https  
 | ssl-enum-ciphers:   
 |  TLSv1.2:   
 |   ciphers:   
 |    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A  
 |    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A  
 |    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A  
 |    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A  
 |   compressors:   
 |    NULL  
 |   cipher preference: client  
 |_ least strength: A  
 Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds  

And then SSL Labs test gets A  again... Guess I need to check more often.

1 comment:

Andrew Watkins said...

You can use the same script for any ports: i.e.
%nmap --script ssl-enum-ciphers -p 25 mailer1.dcs.bbk.ac.uk