On Mon, 26 Jan 2015, Alessandro Baggi wrote:
Hi list,
I'm configuring apache with https and I've a question about sslv3
deactivation.
Running "openssl ciphers -v" I get a list of cypher suite of openssl like:
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128)
Mac=AEAD
.........
Each lines report relative protocol.
Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like:
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
that has protocol SSLv3?
Disabling SSLv3 protocol, apache will use only TLSv1.2 cypher protocol?
Unless you're running a site that strictly controls the clients that
access it (e.g., corporate intranet), limiting Apache to TLS 1.2 will
probably keep some people away since not all widely used browsers
support it yet.
Here's what I do (Apache 2.4)
SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!MD5:!ADH:!EXP
SSLHonorCipherOrder on
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
I'd love to disable TLSv1 and 1.1, but the accessibility trade-offs
are too much for me.
--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
