httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spork Schivago <sporkschiv...@gmail.com>
Subject Re: [users@httpd] Help disabling weak ciphers.
Date Sat, 16 Jul 2016 19:59:17 GMT
Wow, thank you Dr. James Smith!   I am going to try your cipher list and
see if I can get the A+ rating.   That's exactly what I'm after.   Are
there any other drawbacks besides losing support for Java 6 and IE 6
clients?   I originally started writing my website to be IE 6 compatible
but after learning a good bit, I've decided that was a horrible idea.
Even if users are still using XP, I believe they can at least install IE 8,
however, people who are still running Windows XP should highly consider
upgrading if they're getting on the internet, I'd think.

Thank you!!!

Ken

On Sat, Jul 16, 2016 at 2:44 AM, Dr James Smith <js5@sanger.ac.uk> wrote:

> I use:
>
>   SSLProtocol all -SSLv2 -SSLv3
>   SSLHonorCipherOrder on
>   SSLCipherSuite
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>
> as the setting for ciphers - this gets a A+ rating on the qualys SSL labs
> scoring (although Java 6 + IE 6 clients don't work but that is the
> compromise you need to take)
>
> James
>
>
> On 15/07/2016 22:49, Spork Schivago wrote:
>
>> Hello,
>>
>> I think I figured it out.  I removed the DES-CBC3-SHA line from the SSL
>> Cipher Suite list and now this is the output from nmap:
>>
>> | Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's
>> Encrypt/countryName=US
>> | Public Key type: rsa
>> | Public Key bits: 2048
>> | Signature Algorithm: sha256WithRSAEncryption
>> | Not valid before: 2016-07-13T03:49:00
>> | Not valid after:  2016-10-11T03:49:00
>> | MD5:   e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee
>> |_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6
>> | ssl-enum-ciphers:
>> |   TLSv1.0:
>> |     ciphers:
>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>> |     compressors:
>> |       NULL
>> |     cipher preference: client
>> |   TLSv1.1:
>> |     ciphers:
>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>> |     compressors:
>> |       NULL
>> |     cipher preference: client
>> |   TLSv1.2:
>> |     ciphers:
>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
>> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
>> |     compressors:
>> |       NULL
>> |     cipher preference: client
>> |_  least strength: A
>>
>> Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
>>
>>
>> With the least strength being A, that's exactly what I want, right?
>>  That would mean the ciphers are very strong ones? I'm still trying to
>> learn all of this and now I gotta figure out how to enable "Perfect"
>> Forward Secrecy.   Thanks!
>>
>
>
>
> --
> The Wellcome Trust Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a company
> registered in England with number 2742969, whose registered office is 215
> Euston Road, London, NW1 2BE.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message