CVE 2013-2566
'The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.'
ClearCenter response
Short response
This attack presents little risk to ClearOS itself but rather to the client and data transmission integrity.
Long response
This attack requires a number of improbable situations that are typically only available as a combination of old consumer browsers, compromised ISPs, coordinated hacking and/or governments with snooping or network taps as man-in-the middle attacks.
This is only a risk to those that are using old browsers and then only presents a risk to the data used between the old web browser and the ClearOS server. As such, it does not present much risk to ClearOS itself.
Resolution
If you want to change the behavior of your web server to ONLY allow stronger encryption, perform the following steps:
First, take a look at what a weak connection looks like by running the following:
openssl s_client -connect localhost:443 -cipher LOW:EXP
This should give you a long and valid response. Second, connect to your server via command line and modify the following file using your favorite editor (i.e. nano, vi, emacs, et al). Modify the /etc/httpd/conf.d/ssl.conf file.
vi /etc/httpd/conf.d/ssl.conf
Change this line:
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
to this:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Third, save the file and restart the httpd service.
service httpd restart
Fourth, connect again to the httpd service using the same command as before:
openssl s_client -connect localhost:443 -cipher LOW:EXP
You should get rejected this time. Now try with only medium to high levels of encryption:
openssl s_client -connect localhost:443 -cipher MED:HIGH
You should get a connection and a lot of output just like at the first, but this time it is more secure.