Yes, I only use ciphers that implement forward secrecy. On 02/18/2018 01:58 PM, David Mehler wrote:
Hi, Thanks. Are these ciphers pfs friendly? Thanks. Dave. On 2/18/18, Michael A. Peters <mpeters@xxxxxxxxxxxxxx> wrote:On 02/18/2018 09:00 AM, David Mehler wrote:Hello, I'm looking for recommendations. I'm running apache 2.4 and Openssl 1.0.2n. I'm looking for the strongest certificates that support TLSV1.2 and PFS. Recommendations/pro/conns welcome. Thanks. Dave.For sites that don't need Tumblr to be able to scrape the OpenGraph data (Tumblr seems to use a buggy version of libcurl that doesn't tolerate ECDSA certs) I use the following: SSLCipherSuite "EECDH+CHACHA20 EECDH+AES256 -SHA" For sites that I need to be social media friendly, I use RSA cert with the following: SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256 EECDH+AES EDH+AES256 !EDH+AESGCM !EDH+SHA256 Example of how SSL Labs sees ECDSA config: https://www.ssllabs.com/ssltest/analyze.html?d=librelamp.com&latest Note that the "Android" browser in some versions of Android can't connect, that's because I use LibreSSL which no longer ships the deprecated preview version of ChaCha20 and Google, being one of the richest companies in the world, can't afford to update those versions of Android to use the stable ChaCha20 cipher suite. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|