Now I must be getting rusty - we have in the config file SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3
with the first resolving nicely with openssl ciphers -ALL:ECDHE-RSA-AES256-SHA to just ECDHE-RSA-AES256-SHA So my assumption is that this server will insist on talking above - and = nothing else. And on the wire - if I observer the Server Hello I see: Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello ... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = (0xc030) which is sort of what i expect. However when I throw https://www.ssllabs.com/ssltest/analyze.html their analyzer at it - it seems to be quite able to convince the server = to say hello=92s with SSLv3 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: SSL 3.0 (0x0300) ... Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) or TLSv1.2 Record Layer: Handshake Protocol: Server Hello ... Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) And so on*. I must be missing something very obvious here! Am I misunderstanding SSLCipherSuite or is there something specific about 1.2 which makes certain things mandatory and not under control of SSLCipherSuite? Dw. * besides Cipher Suite: = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Server Hello=92s with Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)