Disable RC4?

paul-w · Aug 19, 2015

Hi

I updated DA today to the latest 1.48.3 and Apache to 2.4.16 using custombuild.

I got this message when I upgraded:

Found ssl_cipher to be "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (likely put there to address the Poodle SSLv3 exploit).
The update has automatically swapped it to ssl_cipher=HIGH:!aNULL:!MD5, as -SSLv3 is no longer needed with these binaries.
This is to allow TLSv1.0 and TLSv1.1 again, since disabling the SSLv3 cipher prevented them from working, affecting older browsers that don't support TLSv1.2

Old hat, I know.

When I test my server at https://www.ssllabs.com/ssltest I get:
This server uses RC4 with modern browsers. Grade capped to C.

The explanation is here:
https://community.qualys.com/blogs/securitylabs/2015/04/23/ssl-labs-rc4-deprecation-plan

Is there a reason not to disable RC4 other than supporting old browsers?

If I change /etc/httpd/conf/extra/httpd-ssl.conf to:
SSLCipherSuite HIGH:!ADH

My server gets an A rating from ssllabs.com

I'm prepared to take my chances with stopping support for older browsers. Any other reasons why I shouldn't make this change?

zEitEr · Aug 25, 2015

Hello,

The current version of the config file has the following SSL cipher suites:

Code:

SSLCipherSuite HIGH:!aNULL:!MD5

And when I check my domain it shows:

RC4 NO

Check your /usr/local/directadmin/custombuild/configure/ap2/conf/extra/httpd-ssl.conf an make sure you have no outdated /usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-ssl.conf and then you can rewrite apache configs with:

Code:

cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs

paul-w · Aug 25, 2015

Thanks for the tip.

Disable RC4?

paul-w

Verified User

zEitEr

Super Moderator

paul-w

Verified User