Secure Apache Web Server - Use SSLScan and Disable Ciphers (SSLv3, TLSv1 ..etc)

How to Disable Vulnerable Ciphers after Finding Them using SSLScan This part of the series will be an SSLScan tutorial while giving examples to it. In this tutorial i will go through SSLScan and how to use it to find available ciphers. I will then update the openssl and disable vulnerable ciphers and force to use newer ones. sslscan will scan all the different ciphers being used in the target host, there are different versions and types of SSLs and this is where SSLscan comes to help you determine everything about them. Older Ciphers are vulnerable to attacks and that's why it's a good practice to disable them and force to use only newer ones. Install SSLScan utility on linux yum install sslscan Or manually You must have git , glibc and openssl-devel installed, if you don't have them run 'yum install git gcc openssl-devel' Download the tar file from here to your linux box Decompress the file using 'tar xfvz file-name-tar.gz' Change folder to the one you decompressed the files and run 'make static' Run 'make install' Confirm by running 'sslscan version' Use SSLScan for scanning available ciphers. Replace "whatever" with the domain or use an IP and specify the port which is 443 by default. sslscan www.whatever.com:443 Or sslscan ip.ip.ip.ip:443 Disable older ciphers vi /etc/httpd/conf.d/ssl.conf SSLProtocol all -SSLv2 -SSLv3 Save Restart the service service httpd restart systemctl restart httpd Update your Openssl and force newer ciphers Note: to enable newer ciphers you have to be sure that your openssl is updated and supports them or else you will get similar error to "SSLProtocol: Illegal protocol 'TLSv1.1'" This is part of the Apache Web Server Hardening and Secure Tutorial Series. This tutorial apply to all ciphers like disablng sslv3 , sslv2 and forcing all tlsv1 , tlsv1.1 and tlsv1.2