Getting apache http server(RHEL6) SSLCipherSuite Vulnerabilities

Solution Unverified - Updated -

Issue

  • We are currently using Apache http provided with a bundle in RHEL6
OS Version : Linux IDHPSWB2 2.6.32-358.23.2.el6.x86_64 #1 SMP Sat Sep 14 05:32:37 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux

Apache Info
Server version: Apache/2.2.22 (Unix)
Server built:   Oct 17 2012 11:45:48
Server's Module Magic Number: 20051115:30
Server loaded:  APR 1.3.9, APR-Util 1.3.9
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   64-bit
Server MPM:     Worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/worker"
  • Below Security vulnerabilities have been discovered, to change, such as to do in SSLCipherSuite
AS_IS)
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3:!EXP
TO_BE)
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  • Also Is there any ecommend about SSLcipherSuite?
  • We were recommended that these security vulnerabilities to be changed.
Missing "X-XSS-Protection" header
Missing "X-Content-Type-Options" header
Missing "X-Content-Type-Policy" header
HTTP Strict Transport Security (HSTS) 
BEAST (Browser Exploit Against SSL/TLS) Vulnerability
CSRF(cross site request forgery)
An encrypted session (ssl) security properties of cookies missing
Query parameters of the requests ssl
Unsafe http of methods

Environment

  • Redhat Enterprise Linux (RHEL)
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content