Return-Path: <users-return-114628-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 666E7200BD8
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  7 Dec 2016 12:56:36 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 6517C160B0A; Wed,  7 Dec 2016 11:56:36 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 86D3D160AFD
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  7 Dec 2016 12:56:35 +0100 (CET)
Received: (qmail 27738 invoked by uid 500); 7 Dec 2016 11:56:34 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 27728 invoked by uid 99); 7 Dec 2016 11:56:34 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Dec 2016 11:56:34 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id B45DD18397F
	for <users@httpd.apache.org>; Wed,  7 Dec 2016 11:56:33 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level: 
X-Spam-Status: No, score=-1 tagged_above=-999 required=6.31
	tests=[HTML_MESSAGE=2, RP_MATCHES_RCVD=-2.999, SPF_PASS=-0.001]
	autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id MEnZfbN1TNPF for <users@httpd.apache.org>;
	Wed,  7 Dec 2016 11:56:31 +0000 (UTC)
Received: from www2.jsidata.ca (www.jsidata.ca [209.87.229.110])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 6E0A65F27E
	for <users@httpd.apache.org>; Wed,  7 Dec 2016 11:56:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by www2.jsidata.ca (Postfix) with ESMTP id EDCBC37F0DB
	for <users@httpd.apache.org>; Wed,  7 Dec 2016 06:56:24 -0500 (EST)
X-Virus-Scanned: amavisd-new at jsidata.ca
Received: from www2.jsidata.ca ([127.0.0.1])
	by localhost (smtp.jsidata.ca [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id L9TakzkVW4Oy for <users@httpd.apache.org>;
	Wed,  7 Dec 2016 06:56:23 -0500 (EST)
Received: from server1.jsidata.ca (server1.jsidata.ca [192.168.200.11])
	by www2.jsidata.ca (Postfix) with ESMTP id 0BA4537F08A
	for <users@httpd.apache.org>; Wed,  7 Dec 2016 06:56:23 -0500 (EST)
Received: from [192.168.200.69] (dbc.jsidata.ca [192.168.200.69])
	by server1.jsidata.ca (Postfix) with ESMTP id E07DA4530A
	for <users@httpd.apache.org>; Wed,  7 Dec 2016 06:56:22 -0500 (EST)
To: users@httpd.apache.org
References: <CALxjr02DCFz76E=1QcbhU7K625aZ35Hp2VG8vG_tenusVDrGDw@mail.gmail.com>
From: David Copeland <david.copeland@jsidata.ca>
Organization: JSI Data Systems Limited
Message-ID: <85050b1f-b3d1-ce7a-66ea-8535a3cb91fe@jsidata.ca>
Date: Wed, 7 Dec 2016 06:56:22 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <CALxjr02DCFz76E=1QcbhU7K625aZ35Hp2VG8vG_tenusVDrGDw@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------13CBD0AE4DCC1E5B8BFE7669"
Subject: Re: [users@httpd] SSLCipherSuite and SSL Key Exchange
archived-at: Wed, 07 Dec 2016 11:56:36 -0000

--------------13CBD0AE4DCC1E5B8BFE7669
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Try the configuration tool at
https://mozilla.github.io/server-side-tls/ssl-config-generator/ .

Dave.

On 07/12/16 06:19 AM, Tea Wrex wrote:
> I have been using the Qualys SSL Labs SSL Server Test
> <https://www.ssllabs.com/ssltest/index.html> to test my SSL
> implementation. It scores an SSL server using the criteria located in
> the SSL Server Rating Guide
> <https://www.ssllabs.com/projects/rating-guide/index.html>. I'm trying
> to make the SSL as secure as possible. I have a 4096 bit certificate.
> My server currently gets an A+ rating because I have enabled HTTP
> Strict Transport Security (HSTS) with long duration. (More info on
> correctly configuring SSL can be found here
> <https://www.ssllabs.com/projects/documentation/index.html>.)
>
>
> What I am trying to do is get the /Key Exchange/ and /Cipher Strength/
> scores to be 100 percent. I already have a 100 percent grade for the
> /Certificate/ and/Protocol Support/ scores.
>
> I have no idea how to fix the /Key Exchange/ score, so I need help
> with that.
>
> I have been trying to change the /Cipher Strength/ score by playing
> with different variations of /SSLCipherSuite/.
>
> This is my current setting for /SSLCipherSuite/:
>
> SSLCipherSuite ECHD:!aNULL:!NULL:!eNULL:!MEDIUM:!LOW:!MD5:!RC4
>
> It says in the Apache manual under /SSLCipherSuite/ that MEDIUM is
> "all ciphers with 128 bit encryption." However, when I have set
> !MEDIUM (as shown above) it does not remove the 128bit ciphers as they
> are still listed in the test results. I have tried various settings
> but cannot seem to remove the 128 bit ciphers.I also tried -MEDIUM but
> that did not work either.
>
> Thanks in advance for any help you can give,
>
> Tea
>
>


-- 
David Copeland
JSI Data Systems Limited
613-727-9353
www.jsidata.ca


--------------13CBD0AE4DCC1E5B8BFE7669
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Try the configuration tool at
      <a class="moz-txt-link-freetext" href="https://mozilla.github.io/server-side-tls/ssl-config-generator/">https://mozilla.github.io/server-side-tls/ssl-config-generator/</a> .<br>
      <br>
      Dave.<br>
      <br>
      On 07/12/16 06:19 AM, Tea Wrex wrote:<br>
    </div>
    <blockquote
cite="mid:CALxjr02DCFz76E=1QcbhU7K625aZ35Hp2VG8vG_tenusVDrGDw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>I have been using the Qualys SSL Labs <a
              moz-do-not-send="true"
              href="https://www.ssllabs.com/ssltest/index.html"
              rel="noreferrer">SSL Server Test</a> to test my SSL
            implementation. It scores an SSL server using the criteria
            located in the <font size="2"><a moz-do-not-send="true"
                href="https://www.ssllabs.com/projects/rating-guide/index.html">SSL
                Server Rating Guide</a></font>. I'm trying to make the
            SSL as secure as possible. I have a 4096 bit certificate. My
            server currently gets an A+ rating because I have enabled
            HTTP Strict Transport Security (HSTS) with long duration.
            (More info on correctly configuring SSL can be found <a
              moz-do-not-send="true"
              href="https://www.ssllabs.com/projects/documentation/index.html">here</a>.)<br>
          </div>
          <div><br>
            <br>
          </div>
          What I am trying to do is get the <i>Key Exchange</i> and <i>Cipher
            Strength</i> scores to be 100 percent. I already have a 100
          percent grade for the <i>Certificate</i> and<i> Protocol
            Support</i> scores.<br>
          <br>
        </div>
        I have no idea how to fix the <i>Key Exchange</i> score, so I
        need help with that. <br>
        <br>
        I have been trying to change the <i>Cipher Strength</i> score
        by playing with different variations of <i>SSLCipherSuite</i>.<br>
        <div>
          <div>
            <div><br>
            </div>
            <div>This is my current setting for <i>SSLCipherSuite</i>:<br>
              <br>
            </div>
            <div>SSLCipherSuite
              ECHD:!aNULL:!NULL:!eNULL:!MEDIUM:!LOW:!MD5:!RC4<br>
              <br>
            </div>
            <div>It says in the Apache manual under <i>SSLCipherSuite</i>
              that MEDIUM is "all ciphers with 128 bit encryption."
              However, when I have set !MEDIUM (as shown above) it does
              not remove the 128bit ciphers as they are still listed in
              the test results. I have tried various settings but cannot
              seem to remove the 128 bit ciphers.I also tried -MEDIUM
              but that did not work either.<br>
            </div>
            <div><br>
            </div>
            <div>Thanks in advance for any help you can give,<br>
            </div>
            <div><br>
            </div>
            <div>Tea<br>
            </div>
            <div><br>
              <br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
David Copeland
JSI Data Systems Limited
613-727-9353
<a class="moz-txt-link-abbreviated" href="http://www.jsidata.ca">www.jsidata.ca</a>
</pre>
  </body>
</html>

--------------13CBD0AE4DCC1E5B8BFE7669--