How to disable RC4 cipher suite on an Apache server

Posted on by Summa Lai

How to disable RC4 cipher suite on an Apache server

Checking the configuration with Qualys SSL Labs, the results page shows “This server accepts the RC4 cipher, which is weak. Grade capped to B.”
This is a very common issue on old versions of Apache like 2.2.X
So, we need to disable the RC4 to avoid the week cipher suite being used.

Locate your ssl.conf and try below settings.
First, change SSLHonorCipherOrder from off to on. It is default to off so you may have to add a new line if you cannot find this line on your ssl.conf file.

SSLHonorCipherOrder on

And then, the default cipher suits need to be modified.

SSLCipherSuite, default cipher suits look like below, adding a # to comment it out.

# SSLCipherSuite ALL:!aNULL:!ADH:!DH:!EDH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Replace with below to disable the RC4
SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

In addition,

You may want to disable SSLv2 and SSLv3 as well. Both are not safety anymore.
Find the line of SSLProtocol, change it like below.

SSLProtocol ALL -SSLv2 -SSLv3

Restart apache and then all done.

Visit https://www.ssllabs.com/ssltest/ again to confirm the RC4 warning is goneā€¦

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.