For maximum security, verify the correct use of cipher suites in Apache httpd.

Procedure

  1. To verify the correct use of cipher suites in Apache httpd, run the grep SSLCipherSuite /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf | grep -v '#' command from the command prompt.
    If Apache httpd uses the correct cipher suites, the command returns the following output: SSLCipherSuite HIGH:!aNULL!ADH:!EXP:!MD5:!3DES:!CAMELLIA:!PSK:!SRP:!DH:!AES256-GCM-SHA384:!AES256-SHA256:!AES256-SHA:!AES128-GCM-SHA256:!AES128-SHA256:!AES128-SHA:@STRENGTH
  2. To configure the correct use of cipher suites, run the sed -i "/^[^#]*SSLCipherSuite/ c\SSLCipherSuite HIGH:\!aNULL\!ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP:\!DH:\!AES256-GCM-SHA384:\!AES256-SHA256:\!AES256-SHA:\!AES128-GCM-SHA256:\!AES128-SHA256:\!AES128-SHA:@STRENGTH" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf command from the command prompt.
    Run this command if the output in Step 1 is not as expected.
    This command deactivates all cipher suites that use DH and DHE key exchange methods.
  3. Run the /etc/init.d/apache2 restart command from the command prompt to restart the Apache2 server.
  4. To reactivate DH, remove !DH from the cipher suites by running the sed -i "/^[^#]*SSLCipherSuite/ c\SSLCipherSuite HIGH:\!aNULL\!ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP:\!AES256-GCM-SHA384:\!AES256-SHA256:\!AES256-SHA:\!AES128-GCM-SHA256:\!AES128-SHA256:\!AES128-SHA:@STRENGTH" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf command from the command prompt.
  5. Run the systemctl restart httpd command from the command prompt to restart the Apache2 server.