RE: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite

2015-06-16 Thread karl karloff
:39 +0200 > From: ylavic@gmail.com > To: users@httpd.apache.org > Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite > > On Tue, Jun 16, 2015 at 10:48 PM, karl karloff > wrote: >> I am attempting to set up more than one subdomain on :443 in this

RE: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite

2015-06-16 Thread karl karloff
bject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite > > On Tue, Jun 16, 2015 at 1:57 PM, karl karloff wrote: >> > > AIUI This VH style is not used much and could be contributing. If you > don't care what underlying interface/IP is used, use *:443 and &g

RE: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite

2015-06-16 Thread karl karloff
> Have you tested with the "+"? > > from docs : > Syntax:SSLProtocol [+|-]protocol ... > > ex : > > SSLProtocol +TLSv1.2 > ... > > > SSLProtocol +SSLv3 > ... > > > > > On Tue, Jun 16, 2015 at 12:37 AM, karl karloff > wrot

[users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite

2015-06-15 Thread karl karloff
Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol and SSLCipherSuite that affects only a singular VirtualHost? e.g. www.example.com requires modern encryption (i.e. TLSv1.2) old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3) I tried using somethin

[users@httpd] SSLOpenSSLConfCmd DHParameters and 2048-bit groups in Apache httpd 2.2.29 (current)

2015-05-22 Thread karl karloff
In light of the recent publicity of the "logjam attack" (e.g. https://weakdh.org/) Diffie-Hellman key exchange has come under some scrutiny. Industry wisdom seems to suggest that to prevent possible nation-state decryption an httpd server should generate a 2048-bit group of parameters (for Diff