For PCI compliance I was required to protect our server against BEAST attacks. W

Question

For PCI compliance I was required to protect our server against BEAST attacks. While I have correctly configured the apache / openssl settings to pass a scan, these settings have effectively limited the client browsers that can securely transact on the sites https side.

We are using Cenots 6.5 Final, OpenSSL 1.0.1e-fips 11 Feb 2013

I cannot find any information on how to update or add either specific or all ciphers to OpenSSL.

Are cipher suites distributed within the OpenSSL program OR are ciphers suites add-ons?, if they are add-ons how do you update them?

Explanation / Answer

A fully updated system will still have insecure or weak cipher-suites enabled. You can run a tool such as TestSSLServer, written by Tomas Pornin which will give you a list of cipher suites that are vulnerable to BEAST and CRIME.

After you have identified the specific set of insecure cipher suites that affect your system, you can disable them in Apache's SSL configuration.

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.