We have a new security product that has detected SSL Weak Cipher strengths. I have been going round and round trying to figure out what the issue might be.

What I am down to is a config option with the OpenSSL. It appears it reads the SSL Cipher strengths from the vhost-ssl.conf file in the \etc\apache2\vhosts.d directory.


The above is the default string. I have changed it as follows to eliminate the weak SSLv2.

SSLCipherSuite ALL:!ADH:!EXport56:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:+E XP:+eNULL:-SSLv2

The problem is the server still comes back support encryption less than 128 bit. What options do I need to change to fix this issue?