How to remove weak cipher suites from the TIM web server i.e. those with less than 128-bit encryption.

Document ID : KB000020035
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Due to a monitored security vulnerability on the TIM web server, it is required to remove weak cipher suites from the web server i.e. those with less than 128-bit encryption.

Solution:

Step 1:

Take a backup of the file:


 	/opt/CA-httpd-2.2.22/conf.d/ssl.conf (/etc/httpd is a also symbolic link to /opt/CA-httpd-2.2.22). 

Step 2:

In that file, edit the default SSL Cipher Suite setting as follows:

Change:


 	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP 

To:


 	SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH 

Step 3:

After making this change, reload the httpd configuration by running:

"service httpd reload"

Step 4:

You can verify the before and after change impact by running the openssl command:


 	openssl s_client -connect HOSTNAME:443 -cipher LOW:EXP 

Before the change the result should be:

CONNECTED(00000003)
...
Verify return code: 18 (self signed certificate)
---

After the change the result should be an error:

CONNECTED(00000003)
17484:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:583: