Try the configuration tool at https://mozilla.github.io/server-side-tls/ssl-config-generator/ .
Dave. On 07/12/16 06:19 AM, Tea Wrex wrote: > I have been using the Qualys SSL Labs SSL Server Test > <https://www.ssllabs.com/ssltest/index.html> to test my SSL > implementation. It scores an SSL server using the criteria located in > the SSL Server Rating Guide > <https://www.ssllabs.com/projects/rating-guide/index.html>. I'm trying > to make the SSL as secure as possible. I have a 4096 bit certificate. > My server currently gets an A+ rating because I have enabled HTTP > Strict Transport Security (HSTS) with long duration. (More info on > correctly configuring SSL can be found here > <https://www.ssllabs.com/projects/documentation/index.html>.) > > > What I am trying to do is get the /Key Exchange/ and /Cipher Strength/ > scores to be 100 percent. I already have a 100 percent grade for the > /Certificate/ and/Protocol Support/ scores. > > I have no idea how to fix the /Key Exchange/ score, so I need help > with that. > > I have been trying to change the /Cipher Strength/ score by playing > with different variations of /SSLCipherSuite/. > > This is my current setting for /SSLCipherSuite/: > > SSLCipherSuite ECHD:!aNULL:!NULL:!eNULL:!MEDIUM:!LOW:!MD5:!RC4 > > It says in the Apache manual under /SSLCipherSuite/ that MEDIUM is > "all ciphers with 128 bit encryption." However, when I have set > !MEDIUM (as shown above) it does not remove the 128bit ciphers as they > are still listed in the test results. I have tried various settings > but cannot seem to remove the 128 bit ciphers.I also tried -MEDIUM but > that did not work either. > > Thanks in advance for any help you can give, > > Tea > > -- David Copeland JSI Data Systems Limited 613-727-9353 www.jsidata.ca
