On 04/29/14 08:20, Mick wrote:
On Monday 28 Apr 2014 23:03:44 Joseph wrote:
On 04/28/14 21:38, Mick wrote:
>On Monday 28 Apr 2014 19:56:24 Joseph wrote:
>> How do I disable apache 40bit encryption connection to my server?
>> Is there a way to limit the connection to min 128-bit?
>>
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
>
> https://bettercrypto.org/static/applied-crypto-hardening.pdf
I've tried various combination in my: 00_default_ssl_vhost.conf
You can add it in the httpd.conf if you want it to apply globally for all
apache webhosts.
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
This is OK.
But openssl ciphers -v still lists:
OpenSSL is not apache. The fact that openssl can work with certain ciphers
does not mean that the apache server will offer them to connecting clients.
--
Regards,
Mick
Thank you yes that helped. Placing these lines in httpd.conf instead of
40_mod_ssl.conf
Adding +TLSv1.2 allows me go get grade "A-"
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
The only comment I have is:
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.
Is there anything I can do about it?
--
Joseph
