Disable weak ssl ciphers in lighttpd in Linux

by jagbir on March 29, 2011

To tighten security or again to pass PCI test, you can disable weak SSL cipher. Let’s do it in a host running lighttpd web server in CentOS Linux.

Normally, you get message like this for this issue:

Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
Note: This is considerably easier to exploit if the attacker is on the same physical network. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)

Let’s disable these weak cipher’s now:

Update config file to add or modify following lines. After addition/editing, lines should look like this:

$ vi /etc/lighttpd/lighttpd.conf
ssl.use-sslv2 = "disable"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"

make sure that you have to put these lines in any blocks/vhosts etc. also because these are global options and if you not put these in vhosts blocks, then they will not be effective.

Time to verify things, you can check whether ssl2 is disabled first:

$ openssl s_client -connect localhost:443 -ssl2

you should get error while connecting.

Now check whether weak ciphers are disabled:

$ openssl s_client -connect localhost:443 -cipher EXP:LOW

here as well, you should get error while connecting.

Previous post:

Next post: