SDP MSP 9.0 Build 9009
After setting up HTTPS and installing my SSL certificate I want to ensure the site is protected from known vulnerabilities.
I ran my CA's inspection tool and it tells me that I have two weaknesses, 1) RC4 Cipher Enabled - A cipher suite is enabled that is using the weak RC4 stream cipher and 2) BREACH Vulnerability - The server is vulnerable to the BREACH attack
- ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
- TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
However, the server.xml file aleady contains the following:
- ciphers="SSL_RSA_WITH_RC4_128_MD5,
- SSL_RSA_WITH_RC4_128_SHA,
- TLS_RSA_WITH_AES_128_CBC_SHA,
- TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
For the BREACH issue, this is what the CA's tool reports:
So I have two questions:
- Given what is already there, what is the correct info to put into server.xml to mitigate the RC4 issue? I don't want to guess and introduce anything that might make my situation worse.
- How can I mitigate the BREACH issue?
Thanks