Passing PCI Scan on apache 2.2.22

user871199 asked:

We are on Ubuntu 12.04 and apache 2.2.2 version. We had PCI scan done on our site and 2 vulnerabilities came out that we can not get under control. First one is BEAST attack and other one SSL RC4 Cipher Suites Supported.

So far I have tried following that looks promising. I tried with few more changes after searching for help, but those changes in turn started breaking browsers and were discarded.

SSLProtocol -SSLv2 -TLSv1 +SSLv3
SSLHonorCipherOrder On
SSLCompression off


SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCompression off

Based on scan results on ssllabs, I am able to get only one of the vulnerability mitigated.
What changes I need to do so that both vulnerabilities are addressed and does support current version of browsers?

My answer:

These days the BEAST attack is generally mitigated through 1/n-1 record splitting, since RC4 is considered too weak to use today. Check your distribution’s security advisories for an updated OpenSSL that implements 1/n-1 record splitting, resolving CVE-2011-3389. (Note that Ubuntu seems to already have it.)

Of course, using a server capable of TLS 1.2 is the preferred solution.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.