7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled

Information

The SSLCipherSuite directive specifies which ciphers are allowed in the negotiation with the client. Disable the medium strength ciphers such as Triple DES (3DES) and IDEA by adding '!3DES' and '!IDEA' in the SSLCipherSuite directive.

Rationale:

Although Triple DES was a trusted standard in the past, several vulnerabilities for it have been published over the years and it is no longer considered secure. A somewhat recent attack against 3DES in CBC mode, nicknamed the SWEET32 attack, was published in 2016 as CVE-2016-2183. The IDEA cipher in CBC mode is also vulnerable to the SWEET32 attack.

Solution

Perform the following to implement the recommended state:
Add or modify the following lines in the Apache server level configuration and every virtual host that is SSL/TLS enabled:

SSLHonorCipherOrder On
SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

**IMPORTANT NOTE:** The above 'SSLCipherSuite' value disables only the weak and medium ciphers but allows other ciphers which should also be disabled. Refer to the remaining TLS benchmark recommendations for more stronger cipher suite values. The following cipher suite value will meet all of the level 1 and level 2 benchmark recommendations. As always, testing prior to production use is highly recommended.

SSLHonorCipherOrder On
SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: ddde045e07c0d2527b64932697368f78a6dd1e912d713a59ff5e7c59a3a3be3a