On 4/20/2021 2:56 PM, @lbutlr wrote:
On 20 Apr 2021, at 09:45, Jim Albert <j...@netrition.com> wrote:
On 4/20/2021 9:48 AM, @lbutlr wrote:
If I define SSLCipherSuite DEFAULT will apache show the ciphers that are
defined by openSSL and will be used?
Is this the best way to go, or should I specifically list TLSv1.2 and
TLS1.3?
The complete list of ciphers that openssl supports numbers 60 and still
includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
Trying to search on recommendations comes up with a lot of "use these
settings to allow IE 6.0" which is of literally no. interest to me at all.
This is what I am looking at using:
Protocols h2 h2c http/1.1
SSLCipherSuite DEFAULT
SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
But I may relent on TLSv1/1.1 after checking logs.
I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the
older TLS and SSL that will provide ciphers and security that are supported by
current browsers and if I allow TLSv1 it should support old browsers going back
more than a decade, yes?
Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.
Right, and I am running the current version of OpenSSL which, for example,
doesn't support SSLv3 or TLSv1.1.
I'd be surprised if that were true.
If you run 'openssl ciphers -v ALL' you see no SSLv3 ciphers?
Not that you should make use of them, but I'd expect them to still be
supported.
I believe running 'openssl ciphers'
Ad that shows ciphers for TLSv1.1 and SSLv3, which is why I am a tad confused.
That's what I'd expect per my comment above.
You can compare:
openssl ciphers -v ALL
to
openssl ciphers -v DEFAULT
However, I doubt very much that either is what you want to use in practice.
I'd continue to suggest
https://wiki.mozilla.org/Security/Server_Side_TLS
or
https://ssl-config.mozilla.org/
which someone else pointed out and is also referenced from
https://wiki.mozilla.org/Security/Server_Side_TLS
will list your openssl installation's default cipher list which I am assuming
is what SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have
to confirm that.
I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS as a decent starting point. Intermediate is usually a pretty good starting point for a public web server. Then watching for any cipher-based vulnerabilities that are announced or reported by any vulnerability testing
you might have performed.
Thanks, I did not find that, I was diving in apache 2.4 examples that were 3+
years old.
It's impressive how much faster h2 is than http/1.1.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org