On 20 Apr 2021, at 09:45, Jim Albert <j...@netrition.com> wrote: > On 4/20/2021 9:48 AM, @lbutlr wrote: >> If I define SSLCipherSuite DEFAULT will apache show the ciphers that are >> defined by openSSL and will be used? >> >> Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3? >> >> The complete list of ciphers that openssl supports numbers 60 and still > includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others. >> >> Trying to search on recommendations comes up with a lot of "use these >> settings to allow IE 6.0" which is of literally no. interest to me at all. >> >> This is what I am looking at using: >> >> Protocols h2 h2c http/1.1 >> SSLCipherSuite DEFAULT >> SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3 >> >> But I may relent on TLSv1/1.1 after checking logs. >> >> I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow >> the older TLS and SSL that will provide ciphers and security that are >> supported by current browsers and if I allow TLSv1 it should support old >> browsers going back more than a decade, yes? >> > > Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite > Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.
Right, and I am running the current version of OpenSSL which, for example, doesn't support SSLv3 or TLSv1.1. > I believe running 'openssl ciphers' Ad that shows ciphers for TLSv1.1 and SSLv3, which is why I am a tad confused. > will list your openssl installation's default cipher list which I am assuming > is what SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have > to confirm that. > > I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS as a > decent starting point. Intermediate is usually a pretty good starting point > for a public web server. Then watching for any cipher-based vulnerabilities > that are announced or reported by any vulnerability testing you might have > performed. Thanks, I did not find that, I was diving in apache 2.4 examples that were 3+ years old. It's impressive how much faster h2 is than http/1.1. -- Bart, don't use the Touch of Death on your sister. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
