On that note I thought I'd share the cipher suites we have been using:
kEECDH+ECDSA:kEECDH:kEDH:+SHA:-3DES:kRSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!DSS:!PSK:!SRP:!RC4:!SEED:!kECDH:!CAMELLIA - avoids using RC4 - prefers forward secrecy for all browsers except those, which do not support it - no server-side mitigation of beast attack - if java6 clients have to access the site, 1024bit dhparams have to be set kEECDH+ECDSA:kEECDH:RC4:+AES+SHA:+RSA+RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!DSS:!SRP:!PSK:!3DES:!SEED:!kECDH:!CAMELLIA - server-side mitigation of beast attack, uses RC4 for older browsers though - prefers forward secrecy for modern browsers On Sat, Aug 2, 2014 at 12:19 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Mark, > > On 8/1/14, 3:48 PM, Mark Thomas wrote: > > On 01/08/2014 13:57, Rémy Maucherat wrote: > >> Well, it can be disabled easily by reverting back to the old default in > >> the endpoint. Sorry for all the defects, the code that was submitted was > >> supposed to be fine ;) > > > > Thanks. I appreciate that. > > > >> If you think the feature is too complex and doesn't provide enough > benefit, > >> it can also be removed altogether. > > > > I'm still on the fence. I've removed the system property part as that > > was changing the meaning of some aliases and that might cause a few > > surprises. > > > > On balance I like the idea of the feature and having spent this week > > getting it into shape I'm reluctant to just delete it. > > > > In terms of ensuring correct behaviour, we now have unit tests that > > demonstrate that all the individual aliases are correct. Next I want to > > test some more complex expressions to check the operators all behave as > > expected. > > Here's one you can try on for size: > > !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:ECDHE:ECDH:DHE:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:MEDIUM > > I'm sure you can find more by googling for "httpd recommended > CipherSuite" and see what kinds of crazy things people have been > recommending to adjust things to get the "perfect" set of ciphers in > whatever order ;) > > -chris > >
