Hello everyone,
I'm running Nagios XI 5.4.11 and I'm trying to disable the SSLv3 protocol and RC4 cipher on my server using the /etc/httpd/conf.d/ssl.conf file. This is what I put:
SSLProtocol all -SSLv2 -SSLv3 +TLSv1
SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
SSLHonorCipherOrder on
Yet whenever I try to restart the Apache service, the fedora tool "sslscan" says the server accepted connections using SSLv3. The command to run the tool is sslscan --no-failed hostname
Supported Server Cipher(s):
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-SEED-SHA
Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits SEED-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Accepted SSLv3 112 bits ECDHE-RSA-DES-CBC3-SHA
Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 112 bits DES-CBC3-SHA
Accepted SSLv3 112 bits IDEA-CBC-SHA
Accepted SSLv3 112 bits ECDHE-RSA-RC4-SHA
Accepted SSLv3 112 bits RC4-SHA
Accepted SSLv3 112 bits RC4-MD5
I even rebooted the server. I did a find command and made sure there was only one ssl.conf file on the server. Any suggestions? Am I editing the wrong file?
Disabling SSLv3 and RC4 Cipher in Apache Configuration
-
nimhengnrs
- Posts: 6
- Joined: Thu Mar 28, 2013 12:30 pm
-
tacolover101
- Posts: 432
- Joined: Mon Apr 10, 2017 11:55 am
Re: Disabling SSLv3 and RC4 Cipher in Apache Configuration
could you please dump your entire apache config directory for us to review?
my guess is it's still embedded in somewhere. can't say where, but perhaps we can find it.
this article may help you as well: https://www.digicert.com/ssl-support/ap ... ssl-v3.htm
my guess is it's still embedded in somewhere. can't say where, but perhaps we can find it.
this article may help you as well: https://www.digicert.com/ssl-support/ap ... ssl-v3.htm
-
kyang
Re: Disabling SSLv3 and RC4 Cipher in Apache Configuration
Thanks for the help @tacolover101
nimhengnrs, as tacolover suggested posting the apache config for us will help.
nimhengnrs, as tacolover suggested posting the apache config for us will help.
-
nimhengnrs
- Posts: 6
- Joined: Thu Mar 28, 2013 12:30 pm
Re: Disabling SSLv3 and RC4 Cipher in Apache Configuration
The issue is resolved. Tacolover101's link did the trick since I'm not familiar with the grep command. Seems Nagios has its own separate configuration called nagiosxi.conf in /etc/httpd/conf.d. Adding the lines in the link did it and disabled the weak protocols/ciphers. This can be closed. Thanks everyone.
-
kyang
Re: Disabling SSLv3 and RC4 Cipher in Apache Configuration
Sounds great! I'll be closing this thread!
If you have any more questions, feel free to create another thread.
Thanks for using the Nagios Support Forum!
If you have any more questions, feel free to create another thread.
Thanks for using the Nagios Support Forum!