You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Mehler <da...@gmail.com> on 2018/02/18 17:00:25 UTC
[users@httpd] SSL cipher suites
Hello,
I'm looking for recommendations. I'm running apache 2.4 and Openssl
1.0.2n. I'm looking for the strongest certificates that support
TLSV1.2 and PFS.
Recommendations/pro/conns welcome.
Thanks.
Dave.
# SSL cipher suite 1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# SSL Cipher Suite 2
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:!MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED:!CAMELLIA@STRENGTH"
# SSL cipher suite 3
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256@STRENGTH
# SSL cipher suite 4
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS@STRENGTH
# SSL cipher suite 5
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
# SSL cipher suite 6
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
# SSL cipher suite 7
SSSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL cipher suites
Posted by "Michael A. Peters" <mp...@domblogger.net>.
Yes, I only use ciphers that implement forward secrecy.
On 02/18/2018 01:58 PM, David Mehler wrote:
> Hi,
>
> Thanks. Are these ciphers pfs friendly?
>
> Thanks.
> Dave.
>
>
> On 2/18/18, Michael A. Peters <mp...@domblogger.net> wrote:
>> On 02/18/2018 09:00 AM, David Mehler wrote:
>>> Hello,
>>>
>>> I'm looking for recommendations. I'm running apache 2.4 and Openssl
>>> 1.0.2n. I'm looking for the strongest certificates that support
>>> TLSV1.2 and PFS.
>>>
>>> Recommendations/pro/conns welcome.
>>>
>>> Thanks.
>>> Dave.
>>>
>>
>> For sites that don't need Tumblr to be able to scrape the OpenGraph data
>> (Tumblr seems to use a buggy version of libcurl that doesn't tolerate
>> ECDSA certs) I use the following:
>>
>> SSLCipherSuite "EECDH+CHACHA20 EECDH+AES256 -SHA"
>>
>> For sites that I need to be social media friendly, I use RSA cert with
>> the following:
>>
>> SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384
>> EECDH+AES+SHA256 EECDH+AES EDH+AES256 !EDH+AESGCM !EDH+SHA256
>>
>> Example of how SSL Labs sees ECDSA config:
>>
>> https://www.ssllabs.com/ssltest/analyze.html?d=librelamp.com&latest
>>
>> Note that the "Android" browser in some versions of Android can't
>> connect, that's because I use LibreSSL which no longer ships the
>> deprecated preview version of ChaCha20 and Google, being one of the
>> richest companies in the world, can't afford to update those versions of
>> Android to use the stable ChaCha20 cipher suite.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL cipher suites
Posted by David Mehler <da...@gmail.com>.
Hi,
Thanks. Are these ciphers pfs friendly?
Thanks.
Dave.
On 2/18/18, Michael A. Peters <mp...@domblogger.net> wrote:
> On 02/18/2018 09:00 AM, David Mehler wrote:
>> Hello,
>>
>> I'm looking for recommendations. I'm running apache 2.4 and Openssl
>> 1.0.2n. I'm looking for the strongest certificates that support
>> TLSV1.2 and PFS.
>>
>> Recommendations/pro/conns welcome.
>>
>> Thanks.
>> Dave.
>>
>
> For sites that don't need Tumblr to be able to scrape the OpenGraph data
> (Tumblr seems to use a buggy version of libcurl that doesn't tolerate
> ECDSA certs) I use the following:
>
> SSLCipherSuite "EECDH+CHACHA20 EECDH+AES256 -SHA"
>
> For sites that I need to be social media friendly, I use RSA cert with
> the following:
>
> SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384
> EECDH+AES+SHA256 EECDH+AES EDH+AES256 !EDH+AESGCM !EDH+SHA256
>
> Example of how SSL Labs sees ECDSA config:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=librelamp.com&latest
>
> Note that the "Android" browser in some versions of Android can't
> connect, that's because I use LibreSSL which no longer ships the
> deprecated preview version of ChaCha20 and Google, being one of the
> richest companies in the world, can't afford to update those versions of
> Android to use the stable ChaCha20 cipher suite.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL cipher suites
Posted by "Michael A. Peters" <mp...@domblogger.net>.
On 02/18/2018 09:00 AM, David Mehler wrote:
> Hello,
>
> I'm looking for recommendations. I'm running apache 2.4 and Openssl
> 1.0.2n. I'm looking for the strongest certificates that support
> TLSV1.2 and PFS.
>
> Recommendations/pro/conns welcome.
>
> Thanks.
> Dave.
>
For sites that don't need Tumblr to be able to scrape the OpenGraph data
(Tumblr seems to use a buggy version of libcurl that doesn't tolerate
ECDSA certs) I use the following:
SSLCipherSuite "EECDH+CHACHA20 EECDH+AES256 -SHA"
For sites that I need to be social media friendly, I use RSA cert with
the following:
SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384
EECDH+AES+SHA256 EECDH+AES EDH+AES256 !EDH+AESGCM !EDH+SHA256
Example of how SSL Labs sees ECDSA config:
https://www.ssllabs.com/ssltest/analyze.html?d=librelamp.com&latest
Note that the "Android" browser in some versions of Android can't
connect, that's because I use LibreSSL which no longer ships the
deprecated preview version of ChaCha20 and Google, being one of the
richest companies in the world, can't afford to update those versions of
Android to use the stable ChaCha20 cipher suite.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org