Disabling TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) in Apache in CentOS 7.2.1511

To disable TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) in Apache in CentOS 7.2.15111, remove any DES-based ciphers in your Apache ssl configuration file :

[root@localhost:~]# cat /etc/httpd/conf.d/ssl.conf
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Make sure that your httpd config file syntax is OK :
[root@localhost:~]# apachectl configtest

Restart your web server :
[root@localhost:~]# systemctl restart httpd.service

Run a nmap scan with ssl-enum-ciphers script enabled :

[root@localhost:~]# nmap --script ssl-enum-ciphers -p 443 server_fqdn |grep 3DES

No DES-based ciphers should be displayed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s