httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spork Schivago <sporkschiv...@gmail.com>
Subject Re: [users@httpd] Help disabling weak ciphers.
Date Sat, 16 Jul 2016 22:06:15 GMT
I made the required changes but don't get the A+ rating, still A.   Forward
Secrecy is enabled, which is good.   I don't actually see scores for the
bar graph but I do see certain ones don't go to the 100%.   One was the
Protocol Support.   However, if I disable TLSv1 and TLSv1.1, then Protocol
Support goes to 100%.

I'm wondering what clients wouldn't be able to connect if I disable TLSv1.0
and TLSv1.1.   I'd imagine if a client supports TLSv1.1, it probably
supports TLSv1.2.   Is there a list or any website that can test my website
to see what browsers / OS's won't be able to connect?   I'm okay with
dropping TLSv1.0 and TLSv1.1 support if it means people using XP won't be
able to connect but 99% of the internet users out there will be able.
 But if dropping support for TLSv1.0 and TLSv1.1 means only 10% of the
users will be able to connect, I'd like to not drop it.  Any suggestions
from anyone?

Thanks!

On Sat, Jul 16, 2016 at 3:59 PM, Spork Schivago <sporkschivago@gmail.com>
wrote:

> Wow, thank you Dr. James Smith!   I am going to try your cipher list and
> see if I can get the A+ rating.   That's exactly what I'm after.   Are
> there any other drawbacks besides losing support for Java 6 and IE 6
> clients?   I originally started writing my website to be IE 6 compatible
> but after learning a good bit, I've decided that was a horrible idea.
> Even if users are still using XP, I believe they can at least install IE 8,
> however, people who are still running Windows XP should highly consider
> upgrading if they're getting on the internet, I'd think.
>
> Thank you!!!
>
> Ken
>
> On Sat, Jul 16, 2016 at 2:44 AM, Dr James Smith <js5@sanger.ac.uk> wrote:
>
>> I use:
>>
>>   SSLProtocol all -SSLv2 -SSLv3
>>   SSLHonorCipherOrder on
>>   SSLCipherSuite
>> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>>
>> as the setting for ciphers - this gets a A+ rating on the qualys SSL labs
>> scoring (although Java 6 + IE 6 clients don't work but that is the
>> compromise you need to take)
>>
>> James
>>
>>
>> On 15/07/2016 22:49, Spork Schivago wrote:
>>
>>> Hello,
>>>
>>> I think I figured it out.  I removed the DES-CBC3-SHA line from the SSL
>>> Cipher Suite list and now this is the output from nmap:
>>>
>>> | Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's
>>> Encrypt/countryName=US
>>> | Public Key type: rsa
>>> | Public Key bits: 2048
>>> | Signature Algorithm: sha256WithRSAEncryption
>>> | Not valid before: 2016-07-13T03:49:00
>>> | Not valid after:  2016-10-11T03:49:00
>>> | MD5:   e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee
>>> |_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6
>>> | ssl-enum-ciphers:
>>> |   TLSv1.0:
>>> |     ciphers:
>>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>>> |     compressors:
>>> |       NULL
>>> |     cipher preference: client
>>> |   TLSv1.1:
>>> |     ciphers:
>>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>>> |     compressors:
>>> |       NULL
>>> |     cipher preference: client
>>> |   TLSv1.2:
>>> |     ciphers:
>>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
>>> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
>>> |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
>>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
>>> |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
>>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>>> |     compressors:
>>> |       NULL
>>> |     cipher preference: client
>>> |_  least strength: A
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
>>>
>>>
>>> With the least strength being A, that's exactly what I want, right?
>>>  That would mean the ciphers are very strong ones? I'm still trying to
>>> learn all of this and now I gotta figure out how to enable "Perfect"
>>> Forward Secrecy.   Thanks!
>>>
>>
>>
>>
>> --
>> The Wellcome Trust Sanger Institute is operated by Genome Research
>> Limited, a charity registered in England with number 1021457 and a company
>> registered in England with number 2742969, whose registered office is 215
>> Euston Road, London, NW1 2BE.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Mime
View raw message