Sunday, January 4, 2015

ssl - Fixing BEAST vulnerability on Apache 2.0 running on RHEL 4




I have a web server running Apache 2.0 on RHEL4. This server recently failed a PCI scan.



Reason:
SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability
Solution:
This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2.
If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability.
Using the following SSL configuration in Apache mitigates this vulnerability:
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH




Simple fix, I thought. I added the lines to Apache configuration and it didn't work. Apparently
"SSLHonorCipherOrder On" will only work on Apache 2.2 and later. I tried upgrading Apache, soon ran into dependency hell and it seems I will have to upgrade the entire OS to upgrade to Apache 2.2. We are retiring this server in a few months so it's not worth it.



The solution says "If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability."



How would I do this on Apache 2.0? Is this even possible? If not, are there any other work arounds?


Answer



Other than compiling a newer Apache by hand, the only thing I can think of would be to make RC4-SHA the only supported cipher (tested with openssl ciphers RC4-SHA on the current openssl to make sure it only prints one cipher, you may want to do the same to make sure it doens't match some weird old cipher on your old openssl):



SSLCipherSuite RC4-SHA



MS says Windows XP suports TLS_RSA_WITH_RC4_128_SHA so you shouldn't have any compatibility problems.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...