Hi, SSL Labs don’t like 3DES whose key length is considered 112 bits and not 168 bits because it may be subject to meet-in-the-middle attack. Remove it by adding the line below to your server definition: tls cipher "HIGH:!aNULL:!3DES"
Ronan > Le 15 août 2017 à 09:54, Andreas Thulin <[email protected]> a écrit : > > Hi! > > I run httpd on 6.1-stable (thanks to all of you who make that possible!), > with a pretty vanilla tls setup. When testing the server on ssllabs.com, > results say that > > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > > is considered weak. How should I interpret that information, as you see it? > And shouldn't default cipher strengths be >= 128? I have probably > misunderstood something, so any pointers in the right direction would be > lovely. > > Link to my test result: > https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se > > My httpd.conf (which I'd like to keep very simple): > # www.andreasthulin.se - HTTP > server "www.andreasthulin.se" { > alias "esoteric.andreasthulin.se" > hsts subdomains > listen on * port 80 > listen on * tls port 443 > tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem" > tls key "/etc/ssl/private/esoteric.andreasthulin.se.key" > root "/htdocs/andreasthulin.se" > location "*.php" { > fastcgi socket "/run/php-fpm.sock" > } > location "/.well-known/acme-challenge/*" { > root "/acme" > root strip 2 > } > directory { index "index.php" } > } > > BR, Andreas
