Re: SSL cipher suites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/18/2018 09:00 AM, David Mehler wrote:
Hello,

I'm looking for recommendations. I'm running apache 2.4 and Openssl
1.0.2n. I'm looking for the strongest certificates that support
TLSV1.2 and PFS.

Recommendations/pro/conns welcome.

Thanks.
Dave.


For sites that don't need Tumblr to be able to scrape the OpenGraph data (Tumblr seems to use a buggy version of libcurl that doesn't tolerate ECDSA certs) I use the following:

SSLCipherSuite "EECDH+CHACHA20 EECDH+AES256 -SHA"

For sites that I need to be social media friendly, I use RSA cert with the following:

SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256 EECDH+AES EDH+AES256 !EDH+AESGCM !EDH+SHA256

Example of how SSL Labs sees ECDSA config:

https://www.ssllabs.com/ssltest/analyze.html?d=librelamp.com&latest

Note that the "Android" browser in some versions of Android can't connect, that's because I use LibreSSL which no longer ships the deprecated preview version of ChaCha20 and Google, being one of the richest companies in the world, can't afford to update those versions of Android to use the stable ChaCha20 cipher suite.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux