HolHost.com Blog Server administrators blog

23Nov/15Off

How to disable RC4 cipher in Apache/ disable RC4 cipher in Amazon load balencer

One of the site security scan report shows me that our webserver has vulnerabilities as it is supporting RC4 cipher in SSL/TLS encryption. So how to disable it?

Disabling RC4 cipher in Apache webserver.

Here are the two steps:

1. Add this line on “/etc/sysconfig/httpd” file (I’m using RedHat OS)

OPENSSL_NO_DEFAULT_ZLIB=1

2. Add the following lines in your virtualhost area created for https.

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
SSLCompression Off

Now you almost done !! You can verify it over https://www.ssllabs.com/ssltest/analyze.html

In my case, I’m still getting the same error showing that it is still enabled. Here is the trick, I got to know that Amazon Elastic Loadbalencer is doing SSL acceleration for my project and this should be done on that area.

a. Go to Loadbalencer area and choose your LB, Click on “Change cipher
b. Choose “Custom LB policy”
c. Un check RC4-SHA and ECDHE-ECDSA-RC4-SHA and save

Then re-run the SSL lab test and you will see the result finally !!

LB02

Tagged as: , Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

No trackbacks yet.