On Thu, Jul 28, 2016 at 10:00 PM, Michele Mase' <michele.mase@xxxxxxxxx> wrote: > > Any suggestion? Ciphers must be negotiated before HTTP is decrypted (and hence vhost selection can happen). With SSLHonorCipherOrder off, the negotiated cipher is probably RC4-SHA (the one preferred by the client). With SSLHonorCipherOrder on, the negotiated cipher is probably an ECDHE one (preferred by the server), which the old java also support but to some extent (eg. DH <= 1024, see https://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh). Anyway, since you still want stronger ciphers for the other clients/vhosts, why not put the legacy one on its own (different) IP or port, configured with a suitable/compatible CipherSuite (CipherOrder shouldn't matter here) ? Regards, Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx