1 |
On 04/29/14 08:20, Mick wrote: |
2 |
>On Monday 28 Apr 2014 23:03:44 Joseph wrote: |
3 |
>> On 04/28/14 21:38, Mick wrote: |
4 |
>> >On Monday 28 Apr 2014 19:56:24 Joseph wrote: |
5 |
>> >> How do I disable apache 40bit encryption connection to my server? |
6 |
>> >> Is there a way to limit the connection to min 128-bit? |
7 |
>> >> |
8 |
>> > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite |
9 |
>> > |
10 |
>> > https://bettercrypto.org/static/applied-crypto-hardening.pdf |
11 |
>> |
12 |
>> I've tried various combination in my: 00_default_ssl_vhost.conf |
13 |
> |
14 |
>You can add it in the httpd.conf if you want it to apply globally for all |
15 |
>apache webhosts. |
16 |
> |
17 |
> |
18 |
>> SSLProtocol -ALL +SSLv3 +TLSv1 |
19 |
>> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT |
20 |
> |
21 |
>This is OK. |
22 |
> |
23 |
> |
24 |
>> But openssl ciphers -v still lists: |
25 |
> |
26 |
>OpenSSL is not apache. The fact that openssl can work with certain ciphers |
27 |
>does not mean that the apache server will offer them to connecting clients. |
28 |
> |
29 |
>-- |
30 |
>Regards, |
31 |
>Mick |
32 |
|
33 |
Thank you yes that helped. Placing these lines in httpd.conf instead of 40_mod_ssl.conf |
34 |
Adding +TLSv1.2 allows me go get grade "A-" |
35 |
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 |
36 |
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT |
37 |
|
38 |
The only comment I have is: |
39 |
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. |
40 |
|
41 |
Is there anything I can do about it? |
42 |
|
43 |
-- |
44 |
Joseph |