You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "@lbutlr" <kr...@kreme.com> on 2021/04/20 13:48:22 UTC
[users@httpd] SSLCipherSuite DEFAULT
If I define SSLCipherSuite DEFAULT will apache show the ciphers that are defined by openSSL and will be used?
Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3?
The complete list of ciphers that openssl supports numbers 60 and still includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
Trying to search on recommendations comes up with a lot of "use these settings to allow IE 6.0" which is of literally no. interest to me at all.
This is what I am looking at using:
Protocols h2 h2c http/1.1
SSLCipherSuite DEFAULT
SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
But I may relent on TLSv1/1.1 after checking logs.
I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the older TLS and SSL that will provide ciphers and security that are supported by current browsers and if I allow TLSv1 it should support old browsers going back more than a decade, yes?
--
You know what they say about paradigms: Shift happens.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLCipherSuite DEFAULT
Posted by Jim Albert <ji...@netrition.com>.
On 4/21/2021 3:56 PM, @lbutlr wrote:
> On 20 Apr 2021, at 13:20, Jim Albert <ji...@netrition.com> wrote:
>> On 4/20/2021 2:56 PM, @lbutlr wrote:
>>> Right, and I am running the current version of OpenSSL which, for example, doesn't support SSLv3 or TLSv1.1.
>> I'd be surprised if that were true.
>> If you run 'openssl ciphers -v ALL' you see no SSLv3 ciphers?
> TLSv1 is not a cipher, the cipher suites are different than the protocols, right?
>
> I'm pretty sure you cannot make a TLSv1 or TLSv1.1 connection to a openSSL 1.1.1k versions of OpenSSL.
>
>
Speaking very generally and rudimentary, cipher suites define a set of
algorithms to secure network communications and include things like key
exchange, authentication and encryption. They'll include various
encryption and hash algorithms such as AES, RSA, MD5, SHA# and lots more.
SSL and TLS are protocols that define how sets of cipher suites are to
be used. In order to achieve a certain level of security the various
protocols require a certain level of cipher suite.
So.. in order to achieve a certain level of security you need to define
above what level of SSL/TLS you will suport (currently that is generally
TLSV1.1 and above) and then your cipher suite based on those required
for your supported SSL/TLS protocol version minus any that have known
significant vulnerabilities.
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLCipherSuite DEFAULT
Posted by "@lbutlr" <kr...@kreme.com>.
On 20 Apr 2021, at 13:20, Jim Albert <ji...@netrition.com> wrote:
> On 4/20/2021 2:56 PM, @lbutlr wrote:
>> Right, and I am running the current version of OpenSSL which, for example, doesn't support SSLv3 or TLSv1.1.
>
> I'd be surprised if that were true.
> If you run 'openssl ciphers -v ALL' you see no SSLv3 ciphers?
TLSv1 is not a cipher, the cipher suites are different than the protocols, right?
I'm pretty sure you cannot make a TLSv1 or TLSv1.1 connection to a openSSL 1.1.1k versions of OpenSSL.
--
"Are you pondering what I'm pondering?"
"I think so, Brain, but what if the hippopotamus won't wear the beach
thong?"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLCipherSuite DEFAULT
Posted by Jim Albert <ji...@netrition.com>.
On 4/20/2021 2:56 PM, @lbutlr wrote:
> On 20 Apr 2021, at 09:45, Jim Albert <ji...@netrition.com> wrote:
>> On 4/20/2021 9:48 AM, @lbutlr wrote:
>>> If I define SSLCipherSuite DEFAULT will apache show the ciphers that are defined by openSSL and will be used?
>>>
>>> Is this the best way to go, or should I specifically list TLSv1.2 and
TLS1.3?
>>>
>>> The complete list of ciphers that openssl supports numbers 60 and still
>> includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
>>> Trying to search on recommendations comes up with a lot of "use these
settings to allow IE 6.0" which is of literally no. interest to me at all.
>>>
>>> This is what I am looking at using:
>>>
>>> Protocols h2 h2c http/1.1
>>> SSLCipherSuite DEFAULT
>>> SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
>>>
>>> But I may relent on TLSv1/1.1 after checking logs.
>>>
>>> I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the older TLS and SSL that will provide ciphers and security that are supported by current browsers and if I allow TLSv1 it should support old browsers going back more than a decade, yes?
>>>
>> Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
>> Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.
> Right, and I am running the current version of OpenSSL which, for example, doesn't support SSLv3 or TLSv1.1.
I'd be surprised if that were true.
If you run 'openssl ciphers -v ALL' you see no SSLv3 ciphers?
Not that you should make use of them, but I'd expect them to still be
supported.
>
>> I believe running 'openssl ciphers'
> Ad that shows ciphers for TLSv1.1 and SSLv3, which is why I am a tad confused.
That's what I'd expect per my comment above.
You can compare:
openssl ciphers -v ALL
to
openssl ciphers -v DEFAULT
However, I doubt very much that either is what you want to use in practice.
I'd continue to suggest
https://wiki.mozilla.org/Security/Server_Side_TLS
or
https://ssl-config.mozilla.org/
which someone else pointed out and is also referenced from
https://wiki.mozilla.org/Security/Server_Side_TLS
>
>> will list your openssl installation's default cipher list which I am assuming is what SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have to confirm that.
>>
>> I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS as a decent starting point. Intermediate is usually a pretty good starting point for a public web server. Then watching for any cipher-based vulnerabilities that are announced or reported by any vulnerability testing
you might have performed.
> Thanks, I did not find that, I was diving in apache 2.4 examples that were 3+ years old.
>
> It's impressive how much faster h2 is than http/1.1.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLCipherSuite DEFAULT
Posted by "@lbutlr" <kr...@kreme.com>.
On 20 Apr 2021, at 09:45, Jim Albert <ji...@netrition.com> wrote:
> On 4/20/2021 9:48 AM, @lbutlr wrote:
>> If I define SSLCipherSuite DEFAULT will apache show the ciphers that are defined by openSSL and will be used?
>>
>> Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3?
>>
>> The complete list of ciphers that openssl supports numbers 60 and still
> includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
>>
>> Trying to search on recommendations comes up with a lot of "use these settings to allow IE 6.0" which is of literally no. interest to me at all.
>>
>> This is what I am looking at using:
>>
>> Protocols h2 h2c http/1.1
>> SSLCipherSuite DEFAULT
>> SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
>>
>> But I may relent on TLSv1/1.1 after checking logs.
>>
>> I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the older TLS and SSL that will provide ciphers and security that are supported by current browsers and if I allow TLSv1 it should support old browsers going back more than a decade, yes?
>>
>
> Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
> Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.
Right, and I am running the current version of OpenSSL which, for example, doesn't support SSLv3 or TLSv1.1.
> I believe running 'openssl ciphers'
Ad that shows ciphers for TLSv1.1 and SSLv3, which is why I am a tad confused.
> will list your openssl installation's default cipher list which I am assuming is what SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have to confirm that.
>
> I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS as a decent starting point. Intermediate is usually a pretty good starting point for a public web server. Then watching for any cipher-based vulnerabilities that are announced or reported by any vulnerability testing you might have performed.
Thanks, I did not find that, I was diving in apache 2.4 examples that were 3+ years old.
It's impressive how much faster h2 is than http/1.1.
--
Bart, don't use the Touch of Death on your sister.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLCipherSuite DEFAULT
Posted by Daniel Ferradal <df...@apache.org>.
Have you tried the mozzilla ssl generator, it generally is quite good:
For intermediate Security allowing TLSv1.2 for example:
https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
El mar, 20 abr 2021 a las 17:46, Jim Albert (<ji...@netrition.com>) escribió:
>
> On 4/20/2021 9:48 AM, @lbutlr wrote:
> > If I define SSLCipherSuite DEFAULT will apache show the ciphers that are defined by openSSL and will be used?
> >
> > Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3?
> >
> > The complete list of ciphers that openssl supports numbers 60 and still
> includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
> >
> > Trying to search on recommendations comes up with a lot of "use these settings to allow IE 6.0" which is of literally no. interest to me at all.
> >
> > This is what I am looking at using:
> >
> > Protocols h2 h2c http/1.1
> > SSLCipherSuite DEFAULT
> > SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
> >
> > But I may relent on TLSv1/1.1 after checking logs.
> >
> > I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the older TLS and SSL that will provide ciphers and security that are supported by current browsers and if I allow TLSv1 it should support old browsers going back more than a decade, yes?
> >
>
> Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
> Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.
>
> I believe running 'openssl ciphers' will list your openssl
> installation's default cipher list which I am assuming is what
> SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have to
> confirm that.
>
> I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS
> as a decent starting point. Intermediate is usually a pretty good
> starting point for a public web server. Then watching for any
> cipher-based vulnerabilities that are announced or reported by any
> vulnerability testing you might have performed.
>
> https://www.ssllabs.com/ssltest/
> is a pretty nice site to check on your httpd SSL configs.
>
> Jim
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Daniel Ferradal
HTTPD Project
#httpd help at Freenode
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLCipherSuite DEFAULT
Posted by Jim Albert <ji...@netrition.com>.
On 4/20/2021 9:48 AM, @lbutlr wrote:
> If I define SSLCipherSuite DEFAULT will apache show the ciphers that are defined by openSSL and will be used?
>
> Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3?
>
> The complete list of ciphers that openssl supports numbers 60 and still
includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
>
> Trying to search on recommendations comes up with a lot of "use these settings to allow IE 6.0" which is of literally no. interest to me at all.
>
> This is what I am looking at using:
>
> Protocols h2 h2c http/1.1
> SSLCipherSuite DEFAULT
> SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
>
> But I may relent on TLSv1/1.1 after checking logs.
>
> I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the older TLS and SSL that will provide ciphers and security that are supported by current browsers and if I allow TLSv1 it should support old browsers going back more than a decade, yes?
>
Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.
I believe running 'openssl ciphers' will list your openssl
installation's default cipher list which I am assuming is what
SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have to
confirm that.
I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS
as a decent starting point. Intermediate is usually a pretty good
starting point for a public web server. Then watching for any
cipher-based vulnerabilities that are announced or reported by any
vulnerability testing you might have performed.
https://www.ssllabs.com/ssltest/
is a pretty nice site to check on your httpd SSL configs.
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org