Background:
We had a requirement to disable all version of ssl for encryption and use TLS. We used https://www.ssllabs.com to test our http server
We found that SSL 3 had a vulnerability. By removing SSL from the list of supported protocols, BEAST attach and POODLE were mitigated and were able to achieve an over all rating of B for our website
The following was done in the ssl.conf file of apache server
SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
With reference to the SSLCipherSuite your OpenSSL supports all those ciphers but Apache 2.2.x doesn’t support the ECDHE/ECDSA ones.
Reference:
https://community.qualys.com/thread/12684
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat
