Tag Archives: apache

Mitigating the BEAST attack on TLS

There are two researchers that have developed a new type of attack to TLS 1.0/SSL 3.0 protocol that allows them to decrypt client requests on the fly and hijack confidential sessions, for example e-commerce. This is made possible by a known flaw in TLS.

So this is something that needs addressing. It’s basically the same on any web server, make sure the weak ciphers isn’t used.

For apache this is needed to be added to the configuration:

SSLHonorCipherOrder On 
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-TLSv1-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

On nginx the syntax are the following:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA;
ssl_prefer_server_ciphers on;

More information about the BEAST attack:
CVE-2011-3389
New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies

References:
Mitigating the BEAST attack
Configure SSL on nginx