How to check openssl renegotiation and weak cipher vulnerability

Jephe Wu - http://linuxtechres.blogspot.com
Environment: Apache httpd server with openssl
Objective: check renegotiation and weak cipher vulnerability and patch them


Steps:
1. How to check if a website supports openssl renegotiation and weak cipher?
method 1: openssl s_client command
use openssl command that comes with CentOS 5.5:

openssl s_client -connect jephe.domain.com:443
it will show 'secure renegotiation is NOT supported or supported' message

use openssl ciphers to know all the ciphers on the client Linux PC, then you can use the following commands to check specific cipher support on server:
openssl s_client -connect jephe.domain.com:443 -cipher LOW:EXP  - check if it suports low or exp ciphers, for what are the low or exp ciphers, see  http://www.openssl.org/docs/apps/ciphers.html#
                                                                 
openssl s_client -connect jephe.domain.com:443 -cipher EXP-RC4-MD5 - check specific cipher

openssl s_client -connect jephe.domain.com:443 -cihper MEDIUM


method 2: use public ssl database report
https://www.ssllabs.com/ssldb/index.htm


method3: use downloaded tool
download sslciphercheck from http://www.woany.co.uk/downloads/
then use sslciphercheck -h jephe.domain.com to check all supported ciphpers



2. How to patch it
For renegotiation vulnerability, you can upgrade to openssl 1.0a version.
For weak cipher, you can use the  following ciphersuite configuration in Apache

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL

You can disable RC4 also, so it becomes:



SSLCipherSuite ALL:!ADH:!EXPORT56:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL


note:

1. you can list all ciphers the current openssl supports on the server:


/usr/local/ssl/bin/openssl ciphers | sed -e 's#:#\n#g' | sort

3. References
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
redhat knowledge base: https://access.redhat.com/kb/docs/DOC-20491