RE: Enabling Forward secrecy on SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Most common way we did this was in the Virtual host directive for the SSL side of the site, was to declare what is and is not allowed.

Plenty of docs on this out there but here is ours:

 

 

SSLEnable

SSLProtocolDisable SSLv2 SSLv3

SSLCipherSpec ALL NONE

SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256

SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384

SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256

SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256

SSLClientAuth 0

              

Don Abernathy

Group Manager- Web Services

T: 617-954-4127
MFS Investment Management
111 Huntington Ave, Boston, MA 02199

 

 

From: Chunduru, Krishnachaithanya [mailto:Krishnachaithanya.Chunduru@xxxxxxxxxxxxxx]
Sent: Friday, March 17, 2017 10:37 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Enabling Forward secrecy on SSL

 

Hi All,

 

Can someone advise me on how to achieve the below on a server running with Apache SSL enabled.

 

·         SSL - Supports Weak Encryption  The following protocols should be switched on - TLS 1.2, TLS 1.1, TLS 1.0. SSL 3 and SSL 2 should be disabled.

·         Weak Configuration - SSL/TLS - Deprecated Protocol: Disable the use of SSL 2.0 and 3.0 as well as TLS 1.0. Use TLS 1.1, 1.2, or later and set the latest protocol as preferred.

·         The Server Does Not Support Forward Secrecy :

 

Regards,

Krishna

 


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.


MFS Email system made the following annotation

---------------------------------------------------------------------------------------------------------------------------------------

This email communication and any attachments may contain proprietary, confidential, or privileged information. If you are not the intended recipient, you are hereby notified that you have received this email in error and that any review, disclosure, dissemination,
 distribution or copying of it or its contents is prohibited. The sender does not waive confidentiality or any privilege by mistransmission. If you have received this email in error, please notify the sender immediately, delete this email, and destroy all copies
 and any attachments.






















[Index of Archives]
 
 
[Open SSH Users]
 
 
[Linux ACPI]
 
 
[Linux Kernel]
 
 
[Linux Laptop]
 
 
[Kernel Newbies]
 
 
[Security]
 
 
[Netfilter]
 
 
[Bugtraq]
 
 
[Squid]
 
 
[Yosemite News]
 
 
[MIPS Linux]
 
 
[ARM Linux]
 
 
[Linux Security]
 
 
[Linux RAID]
 
 
[Samba]
 
 
[Video 4 Linux]
 
 
[Device Mapper]


















 
Powered by Linux