All, I'm trying to enable (and prefer!) ECDHE ciphers for clients that can support them. I've done the obvious: SSLHonorCipherOrder Yes SSLProtocol ALL -SSLv2 SSLCipherSuite ECDHE:ECDH:..[other stuff] I have confirmed that, when running "openssl ciphers [stuff above]" that I get ECDHE ciphers listed at the top of the list. I'm running OpenSSL 1.0.1g-FIPS so that shouldn't be a problem. Both my browser and Qualys's SSL tester don't seem to be able to use those ciphers. Is it because I haven't done run "openssl ecparam"? I haven't seen this shown as a requirement anywhere for enabling ECDHE (or ECDH) ciphers anywhere online, though it makes sense that I'd have to do something like that. Or is it because I have "SSLProtocols ALL -SSLv2", which prefers SSLv3, then TLSv1, then TLSv1.1, etc. instead of having them in the opposite order? I tried "SSLProtocols TLSv1.2 TLSv1.1 TLSv1 SSLv3 -SSLv2" but I get an error saying that "TLSv1.2 is unrecognized". I'm running httpd 2.2.23 on Amazon Linux. I read in the comments for mos_ssl that httpd 2.2.24 is required for "TLSv1.2" to be specified directly. Is that accurate? I can see in my Qualys test that TLS 1.2 can be used by some of the "simulated clients", so I suspect that it is in fact available -- perhaps just not preferred? Any help would be appreciated. Thanks, -chris
Attachment:
signature.asc
Description: OpenPGP digital signature
|