Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] apache disable 40bit encryption
Date: Tue, 29 Apr 2014 14:42:16
Message-Id: 201404291541.42358.michaelkintzios@gmail.com
In Reply to: Re: [gentoo-user] apache disable 40bit encryption by Joseph
1 On Tuesday 29 Apr 2014 15:11:41 Joseph wrote:
2 > On 04/29/14 08:20, Mick wrote:
3 > >On Monday 28 Apr 2014 23:03:44 Joseph wrote:
4 > >> On 04/28/14 21:38, Mick wrote:
5 > >> >On Monday 28 Apr 2014 19:56:24 Joseph wrote:
6 > >> >> How do I disable apache 40bit encryption connection to my server?
7 > >> >> Is there a way to limit the connection to min 128-bit?
8 > >> >>
9 > >> > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
10 > >> >
11 > >> > https://bettercrypto.org/static/applied-crypto-hardening.pdf
12 > >>
13 > >> I've tried various combination in my: 00_default_ssl_vhost.conf
14 > >
15 > >You can add it in the httpd.conf if you want it to apply globally for all
16 > >apache webhosts.
17 > >
18 > >> SSLProtocol -ALL +SSLv3 +TLSv1
19 > >> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
20 > >
21 > >This is OK.
22 > >
23 > >> But openssl ciphers -v still lists:
24 > >OpenSSL is not apache. The fact that openssl can work with certain
25 > >ciphers does not mean that the apache server will offer them to
26 > >connecting clients.
27 >
28 > Thank you yes that helped. Placing these lines in httpd.conf instead of
29 > 40_mod_ssl.conf Adding +TLSv1.2 allows me go get grade "A-"
30 > SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
31 > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
32 >
33 > The only comment I have is:
34 > The server does not support Forward Secrecy with the reference browsers.
35 > Grade reduced to A-.
36 >
37 > Is there anything I can do about it?
38
39 Yes, for forward secrecy you need to prioritise Diffie Hellman Ephemeral (DHE)
40 key exchange. If you are prepared to leave some browsers unable to connect
41 then you can also consider adding Elliptic Curves (ECDHE).
42
43 The bettercrypto.org link I provided in a previous message explains all this
44 and provides some cut 'n paste configuration options.
45
46 --
47 Regards,
48 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups