Disable weak ciphers in Apache + CentOS

1) Edit the following file

vi /etc/httpd/conf.d/ssl.conf

 

2) Press key "shift and G" to go end of the file

3) Copy and paste the following lines

 

    * If you are using "vi" press the key "o" to insert after the last line on the file

 

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder on

SSLCompression off

SSLSessionTickets off

 

# OCSP Stapling, only in httpd 2.3.3 and later

SSLUseStapling on

SSLStaplingResponderTimeout 5

SSLStaplingReturnResponderErrors off

SSLStaplingCache shmcb:/var/run/ocsp(128000)

 

4) We need to verify the lines we added to the config file are no enable by default

 

   * Press the key "escape" to leave the insert mode and press the key "/" in order to search

 

   * You are going to search for

 

       * SSLProtocol  ---> comment the line by putting the symbol "#" at the beginning of the line

      

     Also you need to search for

     

       * SSLCipherSuite ---> comment the line by putting the symbol "#" at the begining of the line

       * SSLHonorCipherOrder ---> comment the line by putting the symbol "#" at the begining of the line

       * SSLCompression  ---> comment the line by putting the symbol "#" at the begining of the line

       * SSLSessionTickets ---> comment the line by putting the symbol "#" at the begining of the line

 

NOTE: some of the above lines are already commented so just leave them commented

 

5) Save the file in "vi" by running ":wq"

 

6) Restart Apache

 

  #  systemctl restart httpd (CentOS 7)

Or

  # /etc/init.d/httpd restart  (CentOS 6)

Was this article helpful?
0 out of 0 found this helpful

Have more questions? Contact our support instantly via Live Chat