BEAST and CRIME SSL/TLS vulnerability

I recently ran a vulnerability scan against my web servers and the BEAST and CRIME vulnerabilities.

RHEL5 Apache

Simple PCI DSS compliant and compatible setup for RHEL5 Apache with 3DES as last resort against BEAST:

SSLHonorCipherOrder On

SSLProtocol All -SSLv2

SSLCipherSuite RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA

Simple CRIME reduction for same setup:

echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1

You can test your websites URL here: https://www.ssllabs.com/ssltest/

Lighttpd

Edit the lighttpd.conf file and add  the following for BEAST:

ssl.cipher-list = “ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM”
ssl.honor-cipher-order = enable

Splunk Node

This works for Splunk 4.3 or higher, there is no setting for versions below 4.3 for Ciphers. Edit the web.conf file and add the following:

<nowiki>

enableSplunkWebSSL = true

supportSSLV3Only = true

cipherSuite = RC4+RSA:AES256-SHA:AES128-SHA:DES-CBC3-SHA:+HIGH:!MEDIUM:!LOW

</nowiki>

For the CRIME vulnerability edit server.conf. My forwarders don’t need web enabled!

<nowiki>

[httpServer]
disableDefaultPort = true

supportSSLV3Only = true

</nowiki>

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s