Fixing BEAST vulnerability on Apache 2.0 running on RHEL 4
I have a web server running Apache 2.0 on RHEL4. This server recently failed a PCI scan.
Reason: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability Solution: This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability. Using the following SSL configuration in Apache mitigates this vulnerability: SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH
Simple fix, I thought. I added the lines to Apache configuration and it didn't work. Apparently
"SSLHonorCipherOrder On" will only work on Apache 2.2 and later. I tried upgrading Apache, soon ran into dependency hell and it seems I will have to upgrade the entire OS to upgrade to Apache 2.2. We are retiring this server in a few months so it's not worth it.
The solution says "If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability."
How would I do this on Apache 2.0? Is this even possible? If not, are there any other work arounds?
Solution 1:
Other than compiling a newer Apache by hand, the only thing I can think of would be to make RC4-SHA the only supported cipher (tested with openssl ciphers RC4-SHA on the current openssl to make sure it only prints one cipher, you may want to do the same to make sure it doens't match some weird old cipher on your old openssl):
SSLCipherSuite RC4-SHA
MS says Windows XP suports TLS_RSA_WITH_RC4_128_SHA so you shouldn't have any compatibility problems.
Solution 2:
There are only two ways to "fix" BEAST at the server level.
The best option is to upgrade your server's SSL library to one that supports TLS v1.1 or later (and make sure your clients support it too, so you can force them to use it).
The other option is to disable any CBC (Cypher-Block-Chaining) encryption algorithms and switch to en ECB (Electronic Code Book) cypher or something like RC4 (ECB algorithms are theoretically "less secure" because a given plaintext input encrypted to a given key always maps back to the same cyphertext which makes it easier to break with known plaintext attacks, but in practical terms this isn't likely to be a huge problem. Google (as an example) still uses RC4).
Since the server you're running is dead, buried, and decomposing this is probably not worth the amount of effort it would require to build a patched Apache (you will need to rebuild Apache and OpenSSL in isolation, so as not to upset anything that requires the version of OpenSSL installed on your system by default -- If you're doing that much work you may as well upgrade the whole system to something that's actually supported), so that pretty much leaves you with "Switch to ECB Cyphers" as your viable solution.
BEAST is really a nothing-burger of an attack these days -- All the popular browsers (IE, Chrome, Safari, Opera) have implemented an effective workaround, and because of the way the attack works it's pretty hard to implement outside of a browser (so apt and yum are still pretty much safe).
Adam Langley from Google gave an excellent talk earlier this year which outlines some of the pain points you should be concentrating on re: SSL and security -- While BEAST earned a mention it was near the bottom of the list of things to be worried about.
Solution 3:
The only solution that I have found that will get you to pass the ssllabs.com test is to add the following four lines to your apache httpd.conf and your ssl.conf files:
SSLHonorCipherOrder On
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite RC4-SHA:HIGH:!MD5:!aNULL:!EDH:!ADH
SSLInsecureRenegotiation off
Make sure that you do not have any of these settings posted twice in the ssl.conf file.
Now my sites pass with an A.