httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Copeland <david.copel...@jsidata.ca>
Subject Re: [users@httpd] SSLCipherSuite and SSL Key Exchange
Date Wed, 07 Dec 2016 11:56:22 GMT
Try the configuration tool at
https://mozilla.github.io/server-side-tls/ssl-config-generator/ .

Dave.

On 07/12/16 06:19 AM, Tea Wrex wrote:
> I have been using the Qualys SSL Labs SSL Server Test
> <https://www.ssllabs.com/ssltest/index.html> to test my SSL
> implementation. It scores an SSL server using the criteria located in
> the SSL Server Rating Guide
> <https://www.ssllabs.com/projects/rating-guide/index.html>. I'm trying
> to make the SSL as secure as possible. I have a 4096 bit certificate.
> My server currently gets an A+ rating because I have enabled HTTP
> Strict Transport Security (HSTS) with long duration. (More info on
> correctly configuring SSL can be found here
> <https://www.ssllabs.com/projects/documentation/index.html>.)
>
>
> What I am trying to do is get the /Key Exchange/ and /Cipher Strength/
> scores to be 100 percent. I already have a 100 percent grade for the
> /Certificate/ and/Protocol Support/ scores.
>
> I have no idea how to fix the /Key Exchange/ score, so I need help
> with that.
>
> I have been trying to change the /Cipher Strength/ score by playing
> with different variations of /SSLCipherSuite/.
>
> This is my current setting for /SSLCipherSuite/:
>
> SSLCipherSuite ECHD:!aNULL:!NULL:!eNULL:!MEDIUM:!LOW:!MD5:!RC4
>
> It says in the Apache manual under /SSLCipherSuite/ that MEDIUM is
> "all ciphers with 128 bit encryption." However, when I have set
> !MEDIUM (as shown above) it does not remove the 128bit ciphers as they
> are still listed in the test results. I have tried various settings
> but cannot seem to remove the 128 bit ciphers.I also tried -MEDIUM but
> that did not work either.
>
> Thanks in advance for any help you can give,
>
> Tea
>
>


-- 
David Copeland
JSI Data Systems Limited
613-727-9353
www.jsidata.ca


Mime
View raw message