Author |
|
mrdj1024
Joined: 03 Apr 2023 Posts: 55 Location: Bridgeton,NJ,USA
|
Posted: Sun 25 Feb '24 5:03 Post subject: SSL ciphers |
|
|
hello!
so i am wondering about my ssl config.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder off
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
does these settings look correct for my tls 1.2 and 1.3 setup? |
|
Back to top |
|
DnvrSysEngr
Joined: 15 Apr 2012 Posts: 226 Location: Denver, CO USA
|
Posted: Sun 25 Feb '24 20:23 Post subject: |
|
|
Here is what I have for my SSL config
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLProxyProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder on
SSLCipherSuite SSL
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters Automatic
I do not have SSLProxyCipherSuite set up for my environment.
Looking at what you have configured, I would say you are 'good to go.'
Your mileage may vary, meaning --- configure what best suits your needs. |
|
Back to top |
|
axel.kam
Joined: 11 Jul 2023 Posts: 7
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
|
Back to top |
|
Paratrooper
Joined: 15 Jul 2024 Posts: 1
|
Posted: Mon 15 Jul '24 16:43 Post subject: |
|
|
Hi James, I have checked your website apachehaus de with https://www.ssllabs.com/ssltest/index.html and it does not display the ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 cipher suits, though configured in your ssl.conf
In fact you need ECC key/cert to enable them. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Mon 15 Jul '24 21:51 Post subject: |
|
|
Paratrooper wrote: |
Hi James, I have checked your website apachehaus de with https://www.ssllabs.com/ssltest/index.html and it does not display the ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 cipher suits, though configured in your ssl.conf
In fact you need ECC key/cert to enable them. |
See my screenshot https://ibb.co/WHQQ293 the ciphers are there. |
|
Back to top |
|