httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spork Schivago <sporkschiv...@gmail.com>
Subject Re: [users@httpd] Help disabling weak ciphers.
Date Sat, 16 Jul 2016 22:15:41 GMT
I think I figured it out.   I think I just had to scroll down a bit in
Qualy's SSL Lab.   I see a list of browsers and with TLSv1.0 and TLSv1.1
disabled, I now see: Server sent fatal alert: protocol_version

I believe they're the ones that don't support the protocols that I've
disabled.

I think I'll try with TLSv1.0 disabled and maybe TLSv1.1 and TLSv1.2
enabled.   That way I can be PCI compliant.   Now I have to figure out what
this SNI is and whether I want it enabled or not.

Thanks for all the help!!

On Sat, Jul 16, 2016 at 6:06 PM, Spork Schivago <sporkschivago@gmail.com>
wrote:

> I made the required changes but don't get the A+ rating, still A.
> Forward Secrecy is enabled, which is good.   I don't actually see scores
> for the bar graph but I do see certain ones don't go to the 100%.   One was
> the Protocol Support.   However, if I disable TLSv1 and TLSv1.1, then
> Protocol Support goes to 100%.
>
> I'm wondering what clients wouldn't be able to connect if I disable
> TLSv1.0 and TLSv1.1.   I'd imagine if a client supports TLSv1.1, it
> probably supports TLSv1.2.   Is there a list or any website that can test
> my website to see what browsers / OS's won't be able to connect?   I'm okay
> with dropping TLSv1.0 and TLSv1.1 support if it means people using XP won't
> be able to connect but 99% of the internet users out there will be able.
>  But if dropping support for TLSv1.0 and TLSv1.1 means only 10% of the
> users will be able to connect, I'd like to not drop it.  Any suggestions
> from anyone?
>
> Thanks!
>
> On Sat, Jul 16, 2016 at 3:59 PM, Spork Schivago <sporkschivago@gmail.com>
> wrote:
>
>> Wow, thank you Dr. James Smith!   I am going to try your cipher list and
>> see if I can get the A+ rating.   That's exactly what I'm after.   Are
>> there any other drawbacks besides losing support for Java 6 and IE 6
>> clients?   I originally started writing my website to be IE 6 compatible
>> but after learning a good bit, I've decided that was a horrible idea.
>> Even if users are still using XP, I believe they can at least install IE 8,
>> however, people who are still running Windows XP should highly consider
>> upgrading if they're getting on the internet, I'd think.
>>
>> Thank you!!!
>>
>> Ken
>>
>> On Sat, Jul 16, 2016 at 2:44 AM, Dr James Smith <js5@sanger.ac.uk> wrote:
>>
>>> I use:
>>>
>>>   SSLProtocol all -SSLv2 -SSLv3
>>>   SSLHonorCipherOrder on
>>>   SSLCipherSuite
>>> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>>>
>>> as the setting for ciphers - this gets a A+ rating on the qualys SSL
>>> labs scoring (although Java 6 + IE 6 clients don't work but that is the
>>> compromise you need to take)
>>>
>>> James
>>>
>>>
>>> On 15/07/2016 22:49, Spork Schivago wrote:
>>>
>>>> Hello,
>>>>
>>>> I think I figured it out.  I removed the DES-CBC3-SHA line from the SSL
>>>> Cipher Suite list and now this is the output from nmap:
>>>>
>>>> | Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's
>>>> Encrypt/countryName=US
>>>> | Public Key type: rsa
>>>> | Public Key bits: 2048
>>>> | Signature Algorithm: sha256WithRSAEncryption
>>>> | Not valid before: 2016-07-13T03:49:00
>>>> | Not valid after:  2016-10-11T03:49:00
>>>> | MD5:   e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee
>>>> |_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6
>>>> | ssl-enum-ciphers:
>>>> |   TLSv1.0:
>>>> |     ciphers:
>>>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>>>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>>>> |     compressors:
>>>> |       NULL
>>>> |     cipher preference: client
>>>> |   TLSv1.1:
>>>> |     ciphers:
>>>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>>>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>>>> |     compressors:
>>>> |       NULL
>>>> |     cipher preference: client
>>>> |   TLSv1.2:
>>>> |     ciphers:
>>>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>>>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
>>>> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>>>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
>>>> |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
>>>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
>>>> |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
>>>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>>>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>>>> |     compressors:
>>>> |       NULL
>>>> |     cipher preference: client
>>>> |_  least strength: A
>>>>
>>>> Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
>>>>
>>>>
>>>> With the least strength being A, that's exactly what I want, right?
>>>>  That would mean the ciphers are very strong ones? I'm still trying to
>>>> learn all of this and now I gotta figure out how to enable "Perfect"
>>>> Forward Secrecy.   Thanks!
>>>>
>>>
>>>
>>>
>>> --
>>> The Wellcome Trust Sanger Institute is operated by Genome Research
>>> Limited, a charity registered in England with number 1021457 and a company
>>> registered in England with number 2742969, whose registered office is 215
>>> Euston Road, London, NW1 2BE.
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>

Mime
View raw message