Qualys SSL Labs and weak ciphers with centos 6.5 and apache

lately i tried to improve the SSL score for qualys ssllabs SSL configuration scanner. after a view tries i noticed that changes i made to SSLCipherSuite did not change anything at all – so there has to be a config file that overrides the settings for apache 2.2. qualys error: TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK Solution: what i learned is if you use an apache 2.2 with vhosts! the apache vhosts config for your site overrides the /etc/httpd/conf.d/ssl.conf settings! this behaviour makes no sense at all to me – nevertheless, here is the solution: settings i used for /etc/httpd/conf.d/ssl.conf

  and for /etc/httpd/conf/sites-available/.vhost  

      thats the trick for an A- Rating. as far as i know A(+) Rating is not possible while running apache 2.2.

Continue reading »