Lately, vulnerability scanners have been flagging servers that are susceptible to CVE-2016-2183. In a nutshell, you need to disable any TLS ciphers using 3DES. More detailed information about this vulnerability and why it exists can be found at the links below:
https://access.redhat.com/articles/2548661
https://sweet32.info
Mitigating this vulnerability within Apache is pretty straight forward. Below are the steps to confirm if you are actually affected by this vulnerability and how to remediate it.
First, confirm your Apache web server is actually vulnerable to this by seeing if the 3DES ciphers are returned in this nmap test:
[user@workstation ~]# nmap --script ssl-enum-ciphers -p 443 SERVER_IP_ADDRESS_HERE Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-30 17:57 EST Nmap scan report for xxxxxxxx (xxx.xxx.xxx.xxx) Host is up (0.018s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2 | Ciphers (14) | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_AES_256_GCM_SHA384 | Compressors (1) |_ uncompressed
As you can see in the output above, this server is affected by this vulnerability as its allowing for the following 3DES ciphers:
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA
Disabling this in Apache is pretty easy. Simply navigate to where ever you have your SSLCipherSuite configuration defined and disable 3DES. Typically this should be in /etc/httpd/conf.d/ssl.conf, however some may also have this defined in each individual Apache vhost. If you are unsure where its configured, you should be able to locate it on your server by running:
# CentOS / Red Hat [root@web01 ~]# egrep -R SSLCipherSuite /etc/httpd/* # Ubuntu / Debian [root@web01 ~]# egrep -R SSLCipherSuite /etc/apache2/*
Once you locate the config(s) that contain this directive, you simple add !3DES to the end of the SSLCipherSuite line as shown below:
[root@web01 ~]# vim /etc/httpd/conf.d/ssl.conf ... SSLCipherSuite EECDH+AESGCM:EECDH+AES256:EECDH+AES128:EDH+AES:RSA+AESGCM:RSA+AES:!ECDSA:!NULL:!MD5:!DSS:!3DES ...
Once that is done, restart Apache by:
# CentOS / Red Hat [root@web01 ~]# service httpd restart # Ubuntu / Debian [root@web01 ~]# service apache2 restart
Finally, retest using nmap to confirm no ciphers using 3DES show up:
[user@workstation ~]# nmap --script ssl-enum-ciphers -p 443 SERVER_IP_ADDRESS_HERE Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-30 18:03 EST Nmap scan report for xxxxxxxx (xxx.xxx.xxx.xxx) Host is up (0.017s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2 | Ciphers (12) | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_AES_256_GCM_SHA384 | Compressors (1) |_ uncompressed
If no 3DES ciphers are returned like in the listing above, you should be good to rerun your vulnerability scan!