Have you tried the mozzilla ssl generator, it generally is quite good: For intermediate Security allowing TLSv1.2 for example: https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 El mar, 20 abr 2021 a las 17:46, Jim Albert (<jim@xxxxxxxxxxxxx>) escribió: > > On 4/20/2021 9:48 AM, @lbutlr wrote: > > If I define SSLCipherSuite DEFAULT will apache show the ciphers that are defined by openSSL and will be used? > > > > Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3? > > > > The complete list of ciphers that openssl supports numbers 60 and still > includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others. > > > > Trying to search on recommendations comes up with a lot of "use these settings to allow IE 6.0" which is of literally no. interest to me at all. > > > > This is what I am looking at using: > > > > Protocols h2 h2c http/1.1 > > SSLCipherSuite DEFAULT > > SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3 > > > > But I may relent on TLSv1/1.1 after checking logs. > > > > I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the older TLS and SSL that will provide ciphers and security that are supported by current browsers and if I allow TLSv1 it should support old browsers going back more than a decade, yes? > > > > Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite > Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version. > > I believe running 'openssl ciphers' will list your openssl > installation's default cipher list which I am assuming is what > SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have to > confirm that. > > I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS > as a decent starting point. Intermediate is usually a pretty good > starting point for a public web server. Then watching for any > cipher-based vulnerabilities that are announced or reported by any > vulnerability testing you might have performed. > > https://www.ssllabs.com/ssltest/ > is a pretty nice site to check on your httpd SSL configs. > > Jim > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > -- Daniel Ferradal HTTPD Project #httpd help at Freenode --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|