httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tea Wrex <wrex...@gmail.com>
Subject [users@httpd] SSLCipherSuite and SSL Key Exchange
Date Wed, 07 Dec 2016 11:19:05 GMT
I have been using the Qualys SSL Labs SSL Server Test
<https://www.ssllabs.com/ssltest/index.html> to test my SSL implementation.
It scores an SSL server using the criteria located in the SSL Server Rating
Guide <https://www.ssllabs.com/projects/rating-guide/index.html>. I'm
trying to make the SSL as secure as possible. I have a 4096 bit
certificate. My server currently gets an A+ rating because I have enabled
HTTP Strict Transport Security (HSTS) with long duration. (More info on
correctly configuring SSL can be found here
<https://www.ssllabs.com/projects/documentation/index.html>.)


What I am trying to do is get the *Key Exchange* and *Cipher Strength*
scores to be 100 percent. I already have a 100 percent grade for the
*Certificate* and* Protocol Support* scores.

I have no idea how to fix the *Key Exchange* score, so I need help with
that.

I have been trying to change the *Cipher Strength* score by playing with
different variations of *SSLCipherSuite*.

This is my current setting for *SSLCipherSuite*:

SSLCipherSuite ECHD:!aNULL:!NULL:!eNULL:!MEDIUM:!LOW:!MD5:!RC4

It says in the Apache manual under *SSLCipherSuite* that MEDIUM is "all
ciphers with 128 bit encryption." However, when I have set !MEDIUM (as
shown above) it does not remove the 128bit ciphers as they are still listed
in the test results. I have tried various settings but cannot seem to
remove the 128 bit ciphers.I also tried -MEDIUM but that did not work
either.

Thanks in advance for any help you can give,

Tea

Mime
View raw message