How to disable SSL - RC4 Ciphers on Windows Server running Apache 2.4
Question
I have a PHP application running under Apache 2.4 on a Windows Server. One of the business security issues is to disable SSL - RC4 Ciphers support.
I had added these lines in httpd.conf:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
But this issue still keep coming.
There's something i need to do in operational system to disable this cipher?
Thanks!
2 answers
solution1
1 ACCPTED 2016-05-30 10:28:42
We've been doing this for disabling SSL3 and RC4 filters on Windows. Save the following code as DisableSSLv3AndRC4.reg and double click it
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0] [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Client] "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 56/128] "Enabled"=dword:00000000
You can test it after with https://www.ssllabs.com/
solution2
0 2015-07-29 13:43:33
您应该将 3 行与 ssl 特定配置键的其余部分一起放入<VirtualHost>部分,例如“SSLEngine”、SSLCertificateFile
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.