Hi Dirk,

> SSLCipherSuite 

One small observation:


That's a 5209R Vsite with that exact cipher hardwired into
/etc/httpd/conf/vhosts/siteX - but without HSTS.

SSLlabs reports:

Cipher Suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) 128

There is not a single "DH 2048 bits" cipher remaining. That effectively
disables TLSv1.1 as well, because we no longer offer cipher suites for
it. So we get *only* TLSv1.2 (which I can live with), but also *only*
four remaining cipher suites.

I think that is a bit too extreme.

But I'll use it as a new starting point and will see if I can wiggle
some of the good "DH 2048 bits" ciphers back in.

With best regards

Michael Stauber
Blueonyx mailing list

Reply via email to