Fix Ubuntu 16 sweet32 vulnerability

Question

While doing PCI scan our ubuntu16 web servers with apache and nginx has marked failed against Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32).

THREAT: Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. All versions of SSL/TLS protocol support cipher suites which use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher are affected.

Below are the details mentioned in the scan. Was some one able to apply fix for the same in Ubuntu16?

IMPACT:
Remote attackers can obtain cleartext data via a birthday attack against a long-duration encrypted session.

SOLUTION:
Disable and stop using DES, 3DES, IDEA or RC2 ciphers.
More information can be found at Microsoft Windows TLS changes docs and Microsoft Transport Layer Security (TLS) registry settings

RESULT:
CIPHER
KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
TLSv1.2 WITH 64-BIT CBC CIPHERS IS
SUPPORTED
DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM
EDH-RSA-DES-CBC3-SHA DH RSA SHA1 3DES(168) MEDIUM
ECDHE-RSA-DES-CBC3-SHA ECDH RSA SHA1 3DES(168) MEDIUM

Answer 1

您需要排除那些东西，或者在这样的旧系统上仅使用 AES：

SSLCipherSuite "AES:!aNULL:!eNULL:!EXP"