Disabling RC4 in the SSL cipher suite of an Apache server
While installing the renewed certificate, I discovered that the problem was caused by specifying (for the domain and for each subdomain) in ISPConfig the entire set of data necessary for HTTPS: certificate, private key, CA chain, etc.
Put differently, removing the set of data led to the Qualys test to grade the domain A and at the same time remove the warnings about RC4. Putting the details back leads to the warnings coming back and the grade being capped at B again, which leaves no place for doubts as to the causality link.
It's as if the giving of the details for each vhost somehow created a new environment in which some defaults have overridden the cipher suite that I've specified in ssl.conf. Weird.
The solution is to add the SSLCipherSuite specification in the Apache Directives textarea for each vhost. This is what I have in the configuration that gets me an A grade:
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Compression is disabled by default on my distribution (CentOS 6)
# SSLCompression off
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
EDIT (2017-05-16): An additional finding about this problem: the specifying of SSLCipherSuite is mandatory. I can't fathom why that specific directive, although specified at the server level does not automatically apply to virtual host configurations. I am running Apache 2.2.15 on CentOS 6.9.
EDIT (2018-06-18): More information. I've just discovered that the SSLCipherSuite directive can be specified a single time and it will apply to all virtual hosts: in the base mod_ssl configuration file (on CentOS 6, the file is found at /etc/httpd/conf.d/ssl.conf), you simply have to specify the directive outside of the default virtualhost. The Apache 2.2 documentation states that the default value of this directive is SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP. I reckon that this is where the RC4 cipher comes from: in the absence of any specification, which was the case for me since no specification was in the "global" context, the default value applies. This understanding ends what has been a mystery for me. Ironically, I'm about to switch to CentOS 7 when I find this explanation! HTH.
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3
^^^^^^^
Bad idea. Disabling all SSLv3 ciphers results in disabling the ciphers usable with TLS1.0 and TLS1.1 and leaves only a few ciphers newly introduced with TLS1.2 (if your server supports TLS1.2)
I am therefore somehow lost as to why the SSL check websites are telling me that "the server accepts RC4". They even list the following ciphers as being accepted:
Make sure that you local and the external tests both access the same server (IP address). I've seen lots of sites where example.com is on a different host than www.example.com and thus the tests differ.
Qualys SSL labs seems very sensitive to default hosts etc. Check that ALL your HTTPS VirtualHosts on that IP address use the exact same settings (aside from certificate files), I had a similar issue where some of the Qualys tests tested against my targeted VirtualHost and some of the tests seemed to pick up a default VirtualHost. My targeted vhost had only a single cipher enabled but Qualys was finding a much bigger list from the default vhost.
I also found a better-looking script here that gives more thorough information about SSL tests.