On 02/18/2018 09:00 AM, David Mehler wrote:
Hello,
I'm looking for recommendations. I'm running apache 2.4 and Openssl
1.0.2n. I'm looking for the strongest certificates that support
TLSV1.2 and PFS.
Recommendations/pro/conns welcome.
Thanks.
Dave.
For sites that don't need Tumblr to be able to scrape the OpenGraph data
(Tumblr seems to use a buggy version of libcurl that doesn't tolerate
ECDSA certs) I use the following:
SSLCipherSuite "EECDH+CHACHA20 EECDH+AES256 -SHA"
For sites that I need to be social media friendly, I use RSA cert with
the following:
SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384
EECDH+AES+SHA256 EECDH+AES EDH+AES256 !EDH+AESGCM !EDH+SHA256
Example of how SSL Labs sees ECDSA config:
https://www.ssllabs.com/ssltest/analyze.html?d=librelamp.com&latest
Note that the "Android" browser in some versions of Android can't
connect, that's because I use LibreSSL which no longer ships the
deprecated preview version of ChaCha20 and Google, being one of the
richest companies in the world, can't afford to update those versions of
Android to use the stable ChaCha20 cipher suite.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
