Hi list, I'm configuring apache with https and I've a question about sslv3 deactivation. Running "openssl ciphers -v" I get a list of cypher suite of openssl like: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ......... Each lines report relative protocol. Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like: ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 that has protocol SSLv3? Disabling SSLv3 protocol, apache will use only TLSv1.2 cypher protocol? Thanks in advance. Alessandro.
On Mon, 26 Jan 2015, Alessandro Baggi wrote:> Hi list, > I'm configuring apache with https and I've a question about sslv3 > deactivation. > > Running "openssl ciphers -v" I get a list of cypher suite of openssl like: > > ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) > Mac=AEAD > ......... > > > Each lines report relative protocol. > > Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like: > > ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 > > that has protocol SSLv3? > > Disabling SSLv3 protocol, apache will use only TLSv1.2 cypher protocol?Unless you're running a site that strictly controls the clients that access it (e.g., corporate intranet), limiting Apache to TLS 1.2 will probably keep some people away since not all widely used browsers support it yet. Here's what I do (Apache 2.4) SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!MD5:!ADH:!EXP SSLHonorCipherOrder on SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 I'd love to disable TLSv1 and 1.1, but the accessibility trade-offs are too much for me. -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W
> I'm configuring apache with https and I've a question about sslv3 > deactivation. > > Running "openssl ciphers -v" I get a list of cypher suite of openssl like: > > ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) > Mac=AEAD > ......... >SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off Then use cipher suite to your liking. Modern, Intermediate, Old, from... https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Test via... https://www.ssllabs.com/ssltest/
On 01/26/2015 06:48 PM, Ken wrote:>> I'm configuring apache with https and I've a question about sslv3 >> deactivation. >> >> Running "openssl ciphers -v" I get a list of cypher suite of openssl >> like: >> >> ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) >> Mac=AEAD >> ......... >> > > SSLProtocol all -SSLv2 -SSLv3 > SSLHonorCipherOrder on > SSLCompression off > > Then use cipher suite to your liking. > Modern, Intermediate, Old, from... > > https://wiki.mozilla.org/Security/Server_Side_TLS#Apache > > Test via... > > https://www.ssllabs.com/ssltest/ > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Thanks friend for your answer.