Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Disabling SSLv3 and RC4 Cipher in Apache Configuration

https://support.nagios.com/forum/viewtopic.php?t=47352

Page 1 of 1

Disabling SSLv3 and RC4 Cipher in Apache Configuration

Posted: Thu Feb 01, 2018 7:21 pm
by nimhengnrs
Hello everyone,

I'm running Nagios XI 5.4.11 and I'm trying to disable the SSLv3 protocol and RC4 cipher on my server using the /etc/httpd/conf.d/ssl.conf file. This is what I put:

SSLProtocol all -SSLv2 -SSLv3 +TLSv1
SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
SSLHonorCipherOrder on

Yet whenever I try to restart the Apache service, the fedora tool "sslscan" says the server accepted connections using SSLv3. The command to run the tool is sslscan --no-failed hostname

Supported Server Cipher(s):
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-SEED-SHA
Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits SEED-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Accepted SSLv3 112 bits ECDHE-RSA-DES-CBC3-SHA
Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 112 bits DES-CBC3-SHA
Accepted SSLv3 112 bits IDEA-CBC-SHA
Accepted SSLv3 112 bits ECDHE-RSA-RC4-SHA
Accepted SSLv3 112 bits RC4-SHA
Accepted SSLv3 112 bits RC4-MD5

I even rebooted the server. I did a find command and made sure there was only one ssl.conf file on the server. Any suggestions? Am I editing the wrong file?

Re: Disabling SSLv3 and RC4 Cipher in Apache Configuration

Posted: Fri Feb 02, 2018 1:46 am
by tacolover101
could you please dump your entire apache config directory for us to review?

my guess is it's still embedded in somewhere. can't say where, but perhaps we can find it.

this article may help you as well: https://www.digicert.com/ssl-support/ap ... ssl-v3.htm

Re: Disabling SSLv3 and RC4 Cipher in Apache Configuration

Posted: Fri Feb 02, 2018 10:49 am
by kyang
Thanks for the help @tacolover101

nimhengnrs, as tacolover suggested posting the apache config for us will help.

Re: Disabling SSLv3 and RC4 Cipher in Apache Configuration

Posted: Fri Feb 02, 2018 5:39 pm
by nimhengnrs
The issue is resolved. Tacolover101's link did the trick since I'm not familiar with the grep command. Seems Nagios has its own separate configuration called nagiosxi.conf in /etc/httpd/conf.d. Adding the lines in the link did it and disabled the weak protocols/ciphers. This can be closed. Thanks everyone.

Re: Disabling SSLv3 and RC4 Cipher in Apache Configuration

Posted: Mon Feb 05, 2018 10:14 am
by kyang
Sounds great! I'll be closing this thread!

If you have any more questions, feel free to create another thread.

Thanks for using the Nagios Support Forum!
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited