On Sun, Aug 03, 2014 at 09:29:49PM +0200, Pete Stephenson wrote: > Hi all, > > For those running HKPS-enabled servers in the pool, what protocols and > ciphersuites do you use? > > I'd hope that it'd be safe these days to disable SSLv2. How about SSLv3? > RC4? > > I'd like to provide a reasonable fallback to older clients that don't > support modern ciphers, but without jeopardizing the security of modern > clients that do. > Here is my incantation for Apache (I think this will work in both 2.2 and 2.4, but I don't remember). It gets me an A+ rating on the Qualys SSL test:
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite
EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:HIGH:!MEDIUM:!LOW:!SSLv2:!aNULL:!PSK:SSLv3:!3DES
SSLHonorCipherOrder on
SSLCompression Off
SSLInsecureRenegotiation off
SSLOptions StdEnvVars
Header add Strict-Transport-Security: "max-age=15768000"
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
However, I have been mean about some older clients. I don't care about
Yandex, for example, and don't know why they don't update their SSL
capabilities.
--
David Benfell <[email protected]>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.
pgpZ__5v8VlRr.pgp
Description: PGP signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
