Hi Dirk, > SSLCipherSuite > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
One small observation: https://www.ssllabs.com/ssltest/analyze.html?d=5209r1.smd.net&s=38.114.102.16 That's a 5209R Vsite with that exact cipher hardwired into /etc/httpd/conf/vhosts/siteX - but without HSTS. SSLlabs reports: Cipher Suites: ============== TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) 128 There is not a single "DH 2048 bits" cipher remaining. That effectively disables TLSv1.1 as well, because we no longer offer cipher suites for it. So we get *only* TLSv1.2 (which I can live with), but also *only* four remaining cipher suites. I think that is a bit too extreme. But I'll use it as a new starting point and will see if I can wiggle some of the good "DH 2048 bits" ciphers back in. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx