httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject [users@httpd] Enabling ECDHE ciphers
Date Thu, 17 Apr 2014 16:27:37 GMT

I'm trying to enable (and prefer!) ECDHE ciphers for clients that can
support them. I've done the obvious:

SSLHonorCipherOrder Yes
SSLProtocol ALL -SSLv2
SSLCipherSuite ECDHE:ECDH:..[other stuff]

I have confirmed that, when running "openssl ciphers [stuff above]" that
I get ECDHE ciphers listed at the top of the list. I'm running OpenSSL
1.0.1g-FIPS so that shouldn't be a problem.

Both my browser and Qualys's SSL tester don't seem to be able to use
those ciphers. Is it because I haven't done run "openssl ecparam"? I
haven't seen this shown as a requirement anywhere for enabling ECDHE (or
ECDH) ciphers anywhere online, though it makes sense that I'd have to do
something like that.

Or is it because I have "SSLProtocols ALL -SSLv2", which prefers SSLv3,
then TLSv1, then TLSv1.1, etc. instead of having them in the opposite
order? I tried "SSLProtocols TLSv1.2 TLSv1.1 TLSv1 SSLv3 -SSLv2" but I
get an error saying that "TLSv1.2 is unrecognized".

I'm running httpd 2.2.23 on Amazon Linux. I read in the comments for
mos_ssl that httpd 2.2.24 is required for "TLSv1.2" to be specified
directly. Is that accurate? I can see in my Qualys test that TLS 1.2 can
be used by some of the "simulated clients", so I suspect that it is in
fact available -- perhaps just not preferred?

Any help would be appreciated.


View raw message