Activities

January 2015
M T W T F S S
« Dec   Feb »
 1234
567891011
12131415161718
19202122232425
262728293031  

How do I disable RC4 cipher in Apache/ disable RC4 cipher in Amazon load balencer

One of the site security scan report shows me that our webserver has vulnerabilities as it is supporting RC4 cipher in SSL/TLS encryption. So I need to disable it. Google shows me few links how to do it and i’d done it one webservers easily. But still I’m getting same report. I’m running my projects in AWS platform under elastic load balencer.

Disabling RC4 cipher in Apache webserver.

Here are the two steps,

1. Add this line on “/etc/sysconfig/httpd” file (I’m using RedHat OS)

OPENSSL_NO_DEFAULT_ZLIB=1

2. Add the following lines in your virtualhost area created for https.

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
SSLCompression Off

Now you almost done !! You can verify it over https://www.ssllabs.com/ssltest/analyze.html

In my case, I’m still getting the same error showing that it is still enabled. Here is the trick, I got to know that Amazon Elastic Loadbalencer is doing SSL acceleration for my project and this should be done on that area.

a. Go to Loadbalencer area and choose your LB, Click on “Change cipher
b. Choose “Custom LB policy”
c. Un check RC4-SHA and ECDHE-ECDSA-RC4-SHA and save

Then re-run the SSL lab test and you will see the result finally !!
LB01LB02

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>