1 |
On Tuesday 29 Apr 2014 15:11:41 Joseph wrote: |
2 |
> On 04/29/14 08:20, Mick wrote: |
3 |
> >On Monday 28 Apr 2014 23:03:44 Joseph wrote: |
4 |
> >> On 04/28/14 21:38, Mick wrote: |
5 |
> >> >On Monday 28 Apr 2014 19:56:24 Joseph wrote: |
6 |
> >> >> How do I disable apache 40bit encryption connection to my server? |
7 |
> >> >> Is there a way to limit the connection to min 128-bit? |
8 |
> >> >> |
9 |
> >> > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite |
10 |
> >> > |
11 |
> >> > https://bettercrypto.org/static/applied-crypto-hardening.pdf |
12 |
> >> |
13 |
> >> I've tried various combination in my: 00_default_ssl_vhost.conf |
14 |
> > |
15 |
> >You can add it in the httpd.conf if you want it to apply globally for all |
16 |
> >apache webhosts. |
17 |
> > |
18 |
> >> SSLProtocol -ALL +SSLv3 +TLSv1 |
19 |
> >> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT |
20 |
> > |
21 |
> >This is OK. |
22 |
> > |
23 |
> >> But openssl ciphers -v still lists: |
24 |
> >OpenSSL is not apache. The fact that openssl can work with certain |
25 |
> >ciphers does not mean that the apache server will offer them to |
26 |
> >connecting clients. |
27 |
> |
28 |
> Thank you yes that helped. Placing these lines in httpd.conf instead of |
29 |
> 40_mod_ssl.conf Adding +TLSv1.2 allows me go get grade "A-" |
30 |
> SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2 |
31 |
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT |
32 |
> |
33 |
> The only comment I have is: |
34 |
> The server does not support Forward Secrecy with the reference browsers. |
35 |
> Grade reduced to A-. |
36 |
> |
37 |
> Is there anything I can do about it? |
38 |
|
39 |
Yes, for forward secrecy you need to prioritise Diffie Hellman Ephemeral (DHE) |
40 |
key exchange. If you are prepared to leave some browsers unable to connect |
41 |
then you can also consider adding Elliptic Curves (ECDHE). |
42 |
|
43 |
The bettercrypto.org link I provided in a previous message explains all this |
44 |
and provides some cut 'n paste configuration options. |
45 |
|
46 |
-- |
47 |
Regards, |
48 |
Mick |