On 27.04.2010 05:19, Grant wrote:
I've been advised to harden my SSL in the following ways:
1. disable SSL 2.0
Agreed. There is no need to support SSL 2.0 anymore.
2. disable use of SSL ciphers which offer either weak or no encryption
For maximum compatibility, support AES, RC4 and 3DES (and up). There is
no need to support weaker ciphers.
3. disable anonymous SSL ciphers
Correct. There is no need except in emergencies (actual
interoperability problems with mandatory TLS destinations). But it
should be the default anyway.
In general, try to
* use a private key that is at least 2048 bits long
* do not offer ciphers below 128 bits
* do not support SSLv2
* do not offer anonymous Deffie Hellmann (ADH)
* generate new keys for each certificate (do not reuse keys)
* support/offer TLS 1.0 and better
--
Eray
