httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr James Smith <...@sanger.ac.uk>
Subject Re: [users@httpd] Help disabling weak ciphers.
Date Sat, 16 Jul 2016 06:44:06 GMT
I use:

   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

as the setting for ciphers - this gets a A+ rating on the qualys SSL 
labs scoring (although Java 6 + IE 6 clients don't work but that is the 
compromise you need to take)

James

On 15/07/2016 22:49, Spork Schivago wrote:
> Hello,
>
> I think I figured it out.  I removed the DES-CBC3-SHA line from the 
> SSL Cipher Suite list and now this is the output from nmap:
>
> | Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's 
> Encrypt/countryName=US
> | Public Key type: rsa
> | Public Key bits: 2048
> | Signature Algorithm: sha256WithRSAEncryption
> | Not valid before: 2016-07-13T03:49:00
> | Not valid after:  2016-10-11T03:49:00
> | MD5:   e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee
> |_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6
> | ssl-enum-ciphers:
> |   TLSv1.0:
> |     ciphers:
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
> |     compressors:
> |       NULL
> |     cipher preference: client
> |   TLSv1.1:
> |     ciphers:
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
> |     compressors:
> |       NULL
> |     cipher preference: client
> |   TLSv1.2:
> |     ciphers:
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
> |     compressors:
> |       NULL
> |     cipher preference: client
> |_  least strength: A
>
> Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
>
>
> With the least strength being A, that's exactly what I want, right?   
> That would mean the ciphers are very strong ones? I'm still trying to 
> learn all of this and now I gotta figure out how to enable "Perfect" 
> Forward Secrecy.   Thanks!



-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message