apachesslopenssllets-encryptmod-ssl

Apache SSL: "an obsolete key exchange (RSA)"


I have a site https://warsoftheheroes.eu/ which is hosted using Apache with SSL with Let's Encrypt certyficate. In Chrome/Chromium browser in developer tools -> security I see this message:

Obsolete Connection Settings

The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM).

and here is my Apache SSL configuration:

<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443

<VirtualHost _default_:443>
    ServerName localhost
    Include /etc/apache2/vhosts.d/default_vhost.include
    ErrorLog /var/log/apache2/ssl_error_log
    <IfModule log_config_module>
            TransferLog /var/log/apache2/ssl_access_log
    </IfModule>
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
    SSLHonorCipherOrder On
    SSLCertificateFile /home/wof/ssl/fullchain1.pem
    SSLCertificateKeyFile /home/wof/ssl/privkey1.pem
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/localhost/cgi-bin">
            SSLOptions +StdEnvVars
    </Directory>
    <IfModule setenvif_module>
            BrowserMatch ".*MSIE.*" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
    </IfModule>
    <IfModule log_config_module>
            CustomLog /var/log/apache2/ssl_request_log \
                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>

# vim: ts=4 filetype=apache

What should I change in this config file to get rid of this obsolete key exchange?


Solution

  • According to the SSLLabs test your site does not support any ECDHE ciphers, even if it looks like that you have configured these ciphers in your server configuration. Since TLS 1.2 support (which you have) and ECDHE support (which you don't have) got both added within OpenSSL 1.0.1 my guess is that you have a version of OpenSSL which is compiled without support for ECC (and thus ECDHE).

    As far as I know older versions of RHEL (and thus CentOS too) and Fedora got shipped with ECC support removed for patent reasons so you might check if you are using one of the affected systems. The output of openssl ciphers -V gives you which ciphers are supported and you should check if ECDHE is supported there.