7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled

Information

The SSLCipherSuite directive specifies which ciphers are allowed in the negotiation with the client. Disable the medium strength ciphers such as Triple DES (3DES) and IDEA by adding !3DES and !IDEA in the SSLCipherSuite directive.

Rationale:

Although Triple DES has been a trusted standard in the past, several vulnerabilities for it have been published over the years and it is no longer considered secure. A vulnerable against 3DES in CBC mode was nicknamed the SWEET32 attack, was published in 2016 as CVE-2016-2183. The IDEA cipher in CBC mode, is also vulnerable to the SWEET32 attack.

Solution

Perform the following to implement the recommended state:
Add or modify the following lines in the Apache server level configuration and every virtual host that is SSL/TLS enabled:

SSLHonorCipherOrder On
SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

IMPORTANT NOTE: The above SSLCipherSuite value disables only the weak and medium ciphers but allows other ciphers which should also be disabled. Refer to the remaining TLS benchmark recommendations for more stronger cipher suite values. The following cipher suite value will meet all of the level 1 and level 2 benchmark recommendations. As always, testing prior to production use is highly recommended.

SSLHonorCipherOrder On
SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

Default Value:

The following are the default values:

SSLCipherSuite default depends on OpenSSL version.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|CM-6, 800-53|CM-7, 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 5ab4de3c3bb7f63d47d6bf29711d51b65ef7b07c7d81744a9219c97177db747e