CVE-2016-2183 : Disable and stop using DES and 3DES ciphers in apache

TITLE: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

CVEID: CVE-2016-2183

We need to add DES and 3DES in /etc/httpd/conf.modules.d/ssl.conf file in order to disable it.

Look for SSLCipherSuite line

[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
[root@test ~]#

Modify like below

[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!DES:!3DES
[root@test ~]#

Restart the required services for the port which u got vulnerability.

The following openssl commands can be used to do a manual test:

openssl s_client -connect ip:port -cipher "DES:3DES" -ssl2

openssl s_client -connect ip:port -cipher "DES:3DES" -ssl3

openssl s_client -connect ip:port -cipher "DES:3DES" -tls1

openssl s_client -connect ip:port -cipher "DES:3DES" -tls1_1

openssl s_client -connect ip:port -cipher "DES:3DES" -tls1_2

[root@test ~]# openssl s_client -connect 10.10.10.1:443 -cipher "DES:3DES" -tls1_2

CONNECTED(00000003)

140592171460512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40

140592171460512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 0 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1499085145

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

---

[root@test ~]#