Thanks to you and Chuck, I have a more reasonable (I think): SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:-eNULL:-SSLv3:-SSLv2:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA256
Reasonable depends on the use case. Though this topic would be better discussed on freebsd-security@, the good advice given on <https://wiki.mozilla.org/Security/Server_Side_TLS>, <https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/> and <https://weakdh.org/sysadmin.html> tends to recommend: SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLProtocol all -SSLv2 -SSLv3 SSLCompression off SSLHonorCipherOrder on and if you're using httpd 2.3.3 or higher: SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) If you're processing credit cards SSLProtocol will need to be expanded to "-SSLv2 -SSLv3 -TLSv1" by 2016/07 (for PCI compliance) and if you have good reason to be paranoid and all of your clients are up-to-date, add "-TLSv1.1". Roger Marquis _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[email protected]"
