Hi, Thanks. Are these ciphers pfs friendly? Thanks. Dave. On 2/18/18, Michael A. Peters <mpeters@xxxxxxxxxxxxxx> wrote: > On 02/18/2018 09:00 AM, David Mehler wrote: >> Hello, >> >> I'm looking for recommendations. I'm running apache 2.4 and Openssl >> 1.0.2n. I'm looking for the strongest certificates that support >> TLSV1.2 and PFS. >> >> Recommendations/pro/conns welcome. >> >> Thanks. >> Dave. >> > > For sites that don't need Tumblr to be able to scrape the OpenGraph data > (Tumblr seems to use a buggy version of libcurl that doesn't tolerate > ECDSA certs) I use the following: > > SSLCipherSuite "EECDH+CHACHA20 EECDH+AES256 -SHA" > > For sites that I need to be social media friendly, I use RSA cert with > the following: > > SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 > EECDH+AES+SHA256 EECDH+AES EDH+AES256 !EDH+AESGCM !EDH+SHA256 > > Example of how SSL Labs sees ECDSA config: > > https://www.ssllabs.com/ssltest/analyze.html?d=librelamp.com&latest > > Note that the "Android" browser in some versions of Android can't > connect, that's because I use LibreSSL which no longer ships the > deprecated preview version of ChaCha20 and Google, being one of the > richest companies in the world, can't afford to update those versions of > Android to use the stable ChaCha20 cipher suite. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|