How to disabled SSL 3/RC4_128_SHA/RC4_128_MD5
-
I had done a scan on my site using SSL Checker and the following were found.
SSL 3.0 is an outdated protocol version with known vulnerabilities. How can I fix this?
The server supports some insecure SSL ciphers
TLS_RSA_WITH_RC4_128_SHA [insecure]
TLS_RSA_WITH_RC4_128_MD5 [insecure]I had try to disable in httpd.conf and httpd-ssl.conf by entering the following ;
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache "shmcb:C:/laragon/bin/apache/apache-2.4.16/logs/ssl_scache(512000)"
SSLCompression off
SSLSessionTickets Off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
</IfModule>Restart service and use the SSL Checker to check but still get the same result , anybody can help
Many thanks
-
@teojerah : I always use these without any problem:
SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
-
Strange i have use your setting in all the conf files but it still does not work