On 06/01/2015 07:09 PM, Matthew D. Fuller wrote: > On Mon, Jun 01, 2015 at 07:02:57PM -0500 I heard the voice of > Tim Daneliuk, and lo! it spake thus: >> >> This is what happens when you are: A) In a hurry and B) Paranoid and >> C) Willing to copypasta a config without thought :( >> >> Thanks to you and Chuck, I have a more reasonable (I think): >> >> SSLCipherSuite >> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:-eNULL:-SSLv3:-SSLv2:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA256 > > That still looks awful weird. Paranoid, and enabling +LOW? If you're > having to explicitly list ciphers, you're probably on the wrong > path... > > And I suspect the "-SSLv3:-SSLv2" isn't really what you want. You > probably want to disable the _protocols_, not the _ciphers_. e.g., on > a 10.x machine, I have > > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 > SSLProtocol All -SSLv2 -SSLv3
With your settings the site scores slighly more poorly than with mine as reported by SSL Labs. I will continue to tinker to find the sweet spot of browser compatibility with best protection. (The +LOW should have been -LOW.) > > (I figure every extra character on the CipherSuite line means either > I'm way smarter, or way dumber. And there's only so much smarter I > can get, so...) > > -- ---------------------------------------------------------------------------- Tim Daneliuk [email protected] PGP Key: http://www.tundraware.com/PGP/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[email protected]"
