On Tuesday 01 September 2015 15:14:17 Andreas Thulin wrote: > Hi misc readers! > > This is my first attempt to ask for help using [email protected], so please > bear with me if I'm making mistakes. Also, apologies if I'm asking about > something recently discussed. > > I want to limit the number of tls ciphersâ in httpd.conf so that only > strong (>128 bit) ciphers with Forward Secrecy capabilities (ECDHE) are > accepted. I'm also only using TLSv1.2. > > My current httpd.conf contains a line saying > > tls ciphers "STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH"
You could also just use secure (or default): tls ciphers "secure" That will get you "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" (looks like I need to improve the documentation here...). DHE will be off by default, unless you also enable it via "tls dhe ..." (hint: there is a reason why it is off by default). > which renders out "Configuration OK" with '# /usr/sbin/httpd -n'. > Also, when testing that string using > > # openssl ciphers -v 'STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH' > > I get a nice, acceptable list of the ciphers. However, when running a > server test > (https://www.ssllabs.com/ssltest/analyze.html?d=andreasthulin.se), > there's a much longer list of ciphers, including both non-FS and medium > strength ciphers. > > I'm thinking that either > > 1. my assumption that my httpd.conf is all dandy is wrong (highly > probable), > 2. SSL Labs is lying to me (improbable), or > 3. there's some sort of bug in httpd (improbable). > > Does anyone have any pointers? > > OpenBSD 5.8-current (GENERIC) #1095: Mon Aug 24. i386. > > BR > Andreas
