[BlueOnyx:21841] Re: Suggested new SSLCipherSuite
Michael Stauber
mstauber at blueonyx.it
Tue Mar 13 11:47:05 -05 2018
Hi Dirk,
> SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
One small observation:
https://www.ssllabs.com/ssltest/analyze.html?d=5209r1.smd.net&s=38.114.102.16
That's a 5209R Vsite with that exact cipher hardwired into
/etc/httpd/conf/vhosts/siteX - but without HSTS.
SSLlabs reports:
Cipher Suites:
==============
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) 128
There is not a single "DH 2048 bits" cipher remaining. That effectively
disables TLSv1.1 as well, because we no longer offer cipher suites for
it. So we get *only* TLSv1.2 (which I can live with), but also *only*
four remaining cipher suites.
I think that is a bit too extreme.
But I'll use it as a new starting point and will see if I can wiggle
some of the good "DH 2048 bits" ciphers back in.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list