Author |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 21 Oct '11 15:08 Post subject: |
|
|
Doing that reduces the encryption. I made something like that and now I have only 128 bit encryption vis RC4 instead of the 256 AES.
Any chance to have 256 bit encrytion again?
Code: |
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
AFAIK from my config it should use / prefer AES 256 before RC4, but it doesn't. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Sat 22 Oct '11 3:15 Post subject: |
|
|
As far as I read it, ECDHE-RSA-AES256-SHA384 is an TLS/1.2 cipher. Since OpenSSL 0.9.8 and 1.0.0 do not speak TLS/1.2, I doubt the cipher is available. Secondly, isn't it AES256-SHA and not AES256-SHA256?
http://www.openssl.org/docs/apps/ciphers.html#AES_ciphersuites_from_RFC3268_e
So it goes to the first valid one it finds in the list, RC4.
Of course AES256-SHA is a CBC cipher, and therefore can be attacked. I think for the moment 128bit RC4 is better than 256bit that can be 'beasted' |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Sat 22 Oct '11 22:37 Post subject: |
|
|
glsmith wrote: | Secondly, isn't it AES256-SHA and not AES256-SHA256?
|
right. Copy paste error while trying getting it secure. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Sat 24 Mar '12 16:22 Post subject: |
|
|
Attention, that Ivan changed the recommendation for OpenSSL 1.0.1:
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Steffen |
|
Back to top |
|
holziusa
Joined: 02 Jan 2008 Posts: 48
|
Posted: Sun 08 Apr '12 16:05 Post subject: SNI TLSv1 |
|
|
for 1st/default vhost
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-TLSv1-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
all others
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
not sure about the order if TLSv1 matters front or end
of line |
|
Back to top |
|