Ref:
- How to identify and remove CBC ciphers in the CipherSuite?
- Mozilla SSL Configuration Generator
- ssl-enum-ciphers NSE Script
- SSL Server Test
Last time I checked out SSL Server Test our web server got a A rating, but yesterday I checked it again and got a B rating. Guess since last time some ciphers have become unsafe, so here are the steps I did to remove some weak ciphers (i.e. TLS_RSA_WITH_AES_128_CBC_SHA)
Using ssl-enum-ciphers you can find out what you quickly what you are using:
# nmap --script ssl-enum-ciphers -p 443 www.dcs.bbk.ac.uk
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-23 09:33 BST
Nmap scan report for www.dcs.bbk.ac.uk (193.61.29.1)
Host is up (0.00028s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds
A quick visit to Mozilla SSL Configuration Generator to find out what setting I should be using for SSLProtocol, SSLCipherSuite and then after updating apache configure file I can check nmap again. # nmap --script ssl-enum-ciphers -p 443 www.dcs.bbk.ac.uk
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-23 10:10 BST
Nmap scan report for www.dcs.bbk.ac.uk (193.61.29.1)
Host is up (0.00026s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds
And then SSL Labs test gets A again... Guess I need to check more often.
1 comment:
You can use the same script for any ports: i.e.
%nmap --script ssl-enum-ciphers -p 25 mailer1.dcs.bbk.ac.uk
Post a Comment