I think I figured it out. I think I just had to scroll down a bit in
Qualy's SSL Lab. I see a list of browsers and with TLSv1.0 and TLSv1.1
disabled, I now see: Server sent fatal alert: protocol_version
I believe they're the ones that don't support the protocols that I've
disabled.
I think I'll try with TLSv1.0 disabled and maybe TLSv1.1 and TLSv1.2
enabled. That way I can be PCI compliant. Now I have to figure out what
this SNI is and whether I want it enabled or not.
Thanks for all the help!!
On Sat, Jul 16, 2016 at 6:06 PM, Spork Schivago <sporkschivago@gmail.com>
wrote:
> I made the required changes but don't get the A+ rating, still A.
> Forward Secrecy is enabled, which is good. I don't actually see scores
> for the bar graph but I do see certain ones don't go to the 100%. One was
> the Protocol Support. However, if I disable TLSv1 and TLSv1.1, then
> Protocol Support goes to 100%.
>
> I'm wondering what clients wouldn't be able to connect if I disable
> TLSv1.0 and TLSv1.1. I'd imagine if a client supports TLSv1.1, it
> probably supports TLSv1.2. Is there a list or any website that can test
> my website to see what browsers / OS's won't be able to connect? I'm okay
> with dropping TLSv1.0 and TLSv1.1 support if it means people using XP won't
> be able to connect but 99% of the internet users out there will be able.
> But if dropping support for TLSv1.0 and TLSv1.1 means only 10% of the
> users will be able to connect, I'd like to not drop it. Any suggestions
> from anyone?
>
> Thanks!
>
> On Sat, Jul 16, 2016 at 3:59 PM, Spork Schivago <sporkschivago@gmail.com>
> wrote:
>
>> Wow, thank you Dr. James Smith! I am going to try your cipher list and
>> see if I can get the A+ rating. That's exactly what I'm after. Are
>> there any other drawbacks besides losing support for Java 6 and IE 6
>> clients? I originally started writing my website to be IE 6 compatible
>> but after learning a good bit, I've decided that was a horrible idea.
>> Even if users are still using XP, I believe they can at least install IE 8,
>> however, people who are still running Windows XP should highly consider
>> upgrading if they're getting on the internet, I'd think.
>>
>> Thank you!!!
>>
>> Ken
>>
>> On Sat, Jul 16, 2016 at 2:44 AM, Dr James Smith <js5@sanger.ac.uk> wrote:
>>
>>> I use:
>>>
>>> SSLProtocol all SSLv2 SSLv3
>>> SSLHonorCipherOrder on
>>> SSLCipherSuite
>>> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>>>
>>> as the setting for ciphers  this gets a A+ rating on the qualys SSL
>>> labs scoring (although Java 6 + IE 6 clients don't work but that is the
>>> compromise you need to take)
>>>
>>> James
>>>
>>>
>>> On 15/07/2016 22:49, Spork Schivago wrote:
>>>
>>>> Hello,
>>>>
>>>> I think I figured it out. I removed the DESCBC3SHA line from the SSL
>>>> Cipher Suite list and now this is the output from nmap:
>>>>
>>>>  Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's
>>>> Encrypt/countryName=US
>>>>  Public Key type: rsa
>>>>  Public Key bits: 2048
>>>>  Signature Algorithm: sha256WithRSAEncryption
>>>>  Not valid before: 20160713T03:49:00
>>>>  Not valid after: 20161011T03:49:00
>>>>  MD5: e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee
>>>> _SHA1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6
>>>>  sslenumciphers:
>>>>  TLSv1.0:
>>>>  ciphers:
>>>>  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)  A
>>>>  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)  A
>>>>  compressors:
>>>>  NULL
>>>>  cipher preference: client
>>>>  TLSv1.1:
>>>>  ciphers:
>>>>  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)  A
>>>>  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)  A
>>>>  compressors:
>>>>  NULL
>>>>  cipher preference: client
>>>>  TLSv1.2:
>>>>  ciphers:
>>>>  TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048)  A
>>>>  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)  A
>>>>  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)  A
>>>>  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)  A
>>>>  TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)  A
>>>>  TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)  A
>>>>  TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)  A
>>>>  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)  A
>>>>  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)  A
>>>>  compressors:
>>>>  NULL
>>>>  cipher preference: client
>>>> _ least strength: A
>>>>
>>>> Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
>>>>
>>>>
>>>> With the least strength being A, that's exactly what I want, right?
>>>> That would mean the ciphers are very strong ones? I'm still trying to
>>>> learn all of this and now I gotta figure out how to enable "Perfect"
>>>> Forward Secrecy. Thanks!
>>>>
>>>
>>>
>>>
>>> 
>>> The Wellcome Trust Sanger Institute is operated by Genome Research
>>> Limited, a charity registered in England with number 1021457 and a company
>>> registered in England with number 2742969, whose registered office is 215
>>> Euston Road, London, NW1 2BE.
>>> 
>>> To unsubscribe, email: usersunsubscribe@httpd.apache.org
>>> For additional commands, email: usershelp@httpd.apache.org
>>>
>>>
>>
>
