Thank you. With the setting below in httpd.conf
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!RC4:!ECDHE-RSA-DES-CBC3-SHA:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS
and in vhosts.conf with:
NameVirtualHost *:443
...
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
...
I get "A+" rating, so I think should be OK
Certificate 100
Protocol Support 95
Key Exchange 80
Cipher Strength 90
--
Joseph
On 06/22/14 09:55, Mick wrote:
On Sunday 22 Jun 2014 02:29:44 Joseph wrote:
Before upgrading to apache 2.2.27 I had this line in httpd.conf
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
and I was getting "A-" rating from: www.ssllabs.com
Now after upgrading to apache-2.2.27 I'm getting "C" because of weak Cipher
Strength inclusion:
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1,
Ys: 64) FS WEAK 40 TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128)
FS WEAK 56
How to get rid of it? I've tired setting in 00_default_ssl_vhost.conf
SSLProtocol all -SSLv2 -SSLv3
It should be better to set -ALL to disable all protocols and then explicitly
enable only the protocols that you want to trust as secure, e.g. +TLSv1.2
SSLCompression Off
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED
!aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
This leaves the anonymous DH enabled which will give you a poor rating.
or
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
This enables RC4 which may give you a poor rating - not sure. Better you move
it down the list so that more secure ciphers are tried first.
nothing helps, I'm still getting "C" because of weak Cipher Strength
inclusion.
This is because you inadvertently allow weak ciphers in your directives above.
Try running openssl ciphers -v <string> to see what your directives allow and
in what order. Then modify them accordingly.
HTH.
--
Regards,
Mick