Fix Beast Attack & Qualys SSL Errors

TL;DR

The BEAST attack is an old vulnerability affecting older TLS versions. Qualys SSL tests often flag it. This guide shows you how to disable SSLv3 and weak cipher suites on your server to resolve the issue, improving your cyber security.

What’s happening?

The BEAST (Browser Exploit Against SSL/TLS) attack exploits weaknesses in older TLS 1.0 versions when using certain cipher suites. Qualys SSL Labs tests identify servers still supporting these vulnerable configurations and report them as a security risk.

Steps to Fix the Beast Attack & Qualys Errors

1. Identify Your Web Server: The steps vary depending on your server software (Apache, Nginx, IIS etc.). Find out which one you’re using.
2. Check Current SSL Configuration: Use a tool like openssl to see what protocols and ciphers are enabled.

   openssl s_client -connect yourdomain.com:443

   Look for lines starting with ‘Protocol’ and ‘Cipher Suite’.

3. Disable SSLv3 (Essential): SSLv3 is highly vulnerable and should be disabled on all servers.
   • Apache: Edit your Apache configuration file (usually httpd.conf or a virtual host file). Add or modify the following line:

     SSLProtocol -all +TLSv1.2 +TLSv1.3

   • Nginx: Edit your Nginx configuration file (usually nginx.conf or a site configuration file). Add or modify the following line in the server block:

     ssl_protocols TLSv1.2 TLSv1.3;

   • IIS: Use the IIS Manager. Navigate to Server Certificates > Actions Pane (right side) > Bind SSL. Edit your binding and uncheck ‘SSL 3’.
4. Disable Weak Cipher Suites: Some cipher suites are also vulnerable. Remove them from your configuration.
   • Apache: Add or modify the following line in your Apache configuration file:

     SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256

   • Nginx: Add or modify the following line in your Nginx configuration file:

     ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256;

5. Restart Your Web Server: Apply the changes by restarting your web server.
   • Apache: sudo systemctl restart apache2 (or similar, depending on your Linux distribution)
   • Nginx: sudo systemctl restart nginx
   • IIS: Restart the IIS service through the IIS Manager or command line.
6. Re-test with Qualys SSL Labs: Use the Qualys SSL Labs SSL Server Test to verify that the BEAST vulnerability and weak cipher suites are no longer reported. Pay attention to the ‘Protocol Support’ section.

Important Considerations

• TLS 1.0 & 1.1: While disabling SSLv3 is crucial, TLS 1.0 and 1.1 are also considered weak. If possible, disable them too (but ensure compatibility with older browsers first).
• Forward Secrecy: Ensure you’re using cipher suites that support Forward Secrecy for enhanced cyber security. The examples above include ECDHE ciphers which provide this.
• Regular Updates: Keep your web server software and SSL certificates up to date.