Gentoo Archives: gentoo-user

From: Joseph <syscon780@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] apache disable 40bit encryption
Date: Tue, 29 Apr 2014 14:11:51
Message-Id: 20140429141141.GG4129@syscon7.ed.shawcable.net
In Reply to: Re: [gentoo-user] apache disable 40bit encryption by Mick
1 On 04/29/14 08:20, Mick wrote:
2 >On Monday 28 Apr 2014 23:03:44 Joseph wrote:
3 >> On 04/28/14 21:38, Mick wrote:
4 >> >On Monday 28 Apr 2014 19:56:24 Joseph wrote:
5 >> >> How do I disable apache 40bit encryption connection to my server?
6 >> >> Is there a way to limit the connection to min 128-bit?
7 >> >>
8 >> > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
9 >> >
10 >> > https://bettercrypto.org/static/applied-crypto-hardening.pdf
11 >>
12 >> I've tried various combination in my: 00_default_ssl_vhost.conf
13 >
14 >You can add it in the httpd.conf if you want it to apply globally for all
15 >apache webhosts.
16 >
17 >
18 >> SSLProtocol -ALL +SSLv3 +TLSv1
19 >> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
20 >
21 >This is OK.
22 >
23 >
24 >> But openssl ciphers -v still lists:
25 >
26 >OpenSSL is not apache. The fact that openssl can work with certain ciphers
27 >does not mean that the apache server will offer them to connecting clients.
28 >
29 >--
30 >Regards,
31 >Mick
32
33 Thank you yes that helped. Placing these lines in httpd.conf instead of 40_mod_ssl.conf
34 Adding +TLSv1.2 allows me go get grade "A-"
35 SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
36 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
37
38 The only comment I have is:
39 The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.
40
41 Is there anything I can do about it?
42
43 --
44 Joseph

Replies

Subject Author
Re: [gentoo-user] apache disable 40bit encryption Mick <michaelkintzios@×××××.com>