You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Tea Wrex <wr...@gmail.com> on 2016/12/07 11:19:05 UTC

[users@httpd] SSLCipherSuite and SSL Key Exchange

I have been using the Qualys SSL Labs SSL Server Test
<https://www.ssllabs.com/ssltest/index.html> to test my SSL implementation.
It scores an SSL server using the criteria located in the SSL Server Rating
Guide <https://www.ssllabs.com/projects/rating-guide/index.html>. I'm
trying to make the SSL as secure as possible. I have a 4096 bit
certificate. My server currently gets an A+ rating because I have enabled
HTTP Strict Transport Security (HSTS) with long duration. (More info on
correctly configuring SSL can be found here
<https://www.ssllabs.com/projects/documentation/index.html>.)


What I am trying to do is get the *Key Exchange* and *Cipher Strength*
scores to be 100 percent. I already have a 100 percent grade for the
*Certificate* and* Protocol Support* scores.

I have no idea how to fix the *Key Exchange* score, so I need help with
that.

I have been trying to change the *Cipher Strength* score by playing with
different variations of *SSLCipherSuite*.

This is my current setting for *SSLCipherSuite*:

SSLCipherSuite ECHD:!aNULL:!NULL:!eNULL:!MEDIUM:!LOW:!MD5:!RC4

It says in the Apache manual under *SSLCipherSuite* that MEDIUM is "all
ciphers with 128 bit encryption." However, when I have set !MEDIUM (as
shown above) it does not remove the 128bit ciphers as they are still listed
in the test results. I have tried various settings but cannot seem to
remove the 128 bit ciphers.I also tried -MEDIUM but that did not work
either.

Thanks in advance for any help you can give,

Tea

Re: [users@httpd] SSLCipherSuite and SSL Key Exchange

Posted by David Copeland <da...@jsidata.ca>.

Try the configuration tool at
https://mozilla.github.io/server-side-tls/ssl-config-generator/ .

Dave.

On 07/12/16 06:19 AM, Tea Wrex wrote:
> I have been using the Qualys SSL Labs SSL Server Test
> <https://www.ssllabs.com/ssltest/index.html> to test my SSL
> implementation. It scores an SSL server using the criteria located in
> the SSL Server Rating Guide
> <https://www.ssllabs.com/projects/rating-guide/index.html>. I'm trying
> to make the SSL as secure as possible. I have a 4096 bit certificate.
> My server currently gets an A+ rating because I have enabled HTTP
> Strict Transport Security (HSTS) with long duration. (More info on
> correctly configuring SSL can be found here
> <https://www.ssllabs.com/projects/documentation/index.html>.)
>
>
> What I am trying to do is get the /Key Exchange/ and /Cipher Strength/
> scores to be 100 percent. I already have a 100 percent grade for the
> /Certificate/ and/Protocol Support/ scores.
>
> I have no idea how to fix the /Key Exchange/ score, so I need help
> with that.
>
> I have been trying to change the /Cipher Strength/ score by playing
> with different variations of /SSLCipherSuite/.
>
> This is my current setting for /SSLCipherSuite/:
>
> SSLCipherSuite ECHD:!aNULL:!NULL:!eNULL:!MEDIUM:!LOW:!MD5:!RC4
>
> It says in the Apache manual under /SSLCipherSuite/ that MEDIUM is
> "all ciphers with 128 bit encryption." However, when I have set
> !MEDIUM (as shown above) it does not remove the 128bit ciphers as they
> are still listed in the test results. I have tried various settings
> but cannot seem to remove the 128 bit ciphers.I also tried -MEDIUM but
> that did not work either.
>
> Thanks in advance for any help you can give,
>
> Tea
>
>


-- 
David Copeland
JSI Data Systems Limited
613-727-9353
www.jsidata.ca