logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: SSL ciphers
Author
mrdj1024



Joined: 03 Apr 2023
Posts: 55
Location: Bridgeton,NJ,USA

PostPosted: Sun 25 Feb '24 5:03    Post subject: SSL ciphers Reply with quote

hello!
so i am wondering about my ssl config.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder off
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305

does these settings look correct for my tls 1.2 and 1.3 setup?
Back to top
DnvrSysEngr



Joined: 15 Apr 2012
Posts: 226
Location: Denver, CO USA

PostPosted: Sun 25 Feb '24 20:23    Post subject: Reply with quote

Here is what I have for my SSL config

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLProxyProtocol -all +TLSv1.2 +TLSv1.3

SSLHonorCipherOrder on

SSLCipherSuite SSL
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters Automatic

I do not have SSLProxyCipherSuite set up for my environment.

Looking at what you have configured, I would say you are 'good to go.'

Your mileage may vary, meaning --- configure what best suits your needs.
Back to top
axel.kam



Joined: 11 Jul 2023
Posts: 7

PostPosted: Sun 25 Feb '24 22:11    Post subject: Re: SSL ciphers Reply with quote

mrdj1024 wrote:
does these settings look correct for my tls 1.2 and 1.3 setup?


There is a good start point for ssl config: Mozilla SSL Configuration Generator

You can try Modern configuration (Services with clients that support TLS 1.3 and don't need backward compatibility):
https://ssl-config.mozilla.org/#server=apache&version=2.4.58&config=modern&openssl=3.1.5&guideline=5.7

or Intermediate configuration (General-purpose servers with a variety of clients, recommended for almost all systems):
https://ssl-config.mozilla.org/#server=apache&version=2.4.58&config=intermediate&openssl=3.1.5&guideline=5.7
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Sun 25 Feb '24 23:21    Post subject: Reply with quote

My current A+ config for SSL test lab https://raw.githubusercontent.com/JBlond/debian_build_apache24/master/ssl.conf
Back to top
Paratrooper



Joined: 15 Jul 2024
Posts: 1

PostPosted: Mon 15 Jul '24 16:43    Post subject: Reply with quote

James Blond wrote:
My current A+ config for SSL test lab https://raw.githubusercontent.com/JBlond/debian_build_apache24/master/ssl.conf

Hi James, I have checked your website apachehaus de with https://www.ssllabs.com/ssltest/index.html and it does not display the ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 cipher suits, though configured in your ssl.conf

In fact you need ECC key/cert to enable them.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Mon 15 Jul '24 21:51    Post subject: Reply with quote

Paratrooper wrote:

Hi James, I have checked your website apachehaus de with https://www.ssllabs.com/ssltest/index.html and it does not display the ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 cipher suits, though configured in your ssl.conf

In fact you need ECC key/cert to enable them.


See my screenshot https://ibb.co/WHQQ293 the ciphers are there.
Back to top


Reply to topic   Topic: SSL ciphers View previous topic :: View next topic
Post new topic   Forum Index -> Apache