How about config like this: SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
Eero 2016-12-20 18:09 GMT+02:00 Madden, Joe <joe.mad...@mottmac.com>: > Hi, > > > > Our openvas is showing the following ciphers as a medimum risk: > > > > TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > > TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA > > TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA > > TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > > TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA > > TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA > > TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > > TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA > > TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA > > > > > > Qualys SSL labs report these ciphers are secure and OK therefore I presume > that these are either: > > > > 1) Incorrect reported as vulnerable to Beast/Lucky13 > > Or > > 2) Being reported as part of “Any cipher considered to be secure > for only the next 10 years is considered as medium” > > > > > > Apache is set to use: > > > > SSLCipherSuite !ADH:!RC4-SHA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:ALL > > > > > > Latest patch levels for apache/OpenSSL. > > > > Can anyone clarify? > > > > Thanks > > > > Joe > > > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss >
_______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss