Re: SSLCipherSuite DEFAULT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 20 Apr 2021, at 09:45, Jim Albert <jim@xxxxxxxxxxxxx> wrote:
> On 4/20/2021 9:48 AM, @lbutlr wrote:
>> If I define SSLCipherSuite DEFAULT will apache show the ciphers that are defined by openSSL and will be used?
>> 
>> Is this the best way to go, or should I specifically list TLSv1.2 and TLS1.3?
>> 
>> The complete list of ciphers that openssl supports numbers 60 and still 
> includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
>> 
>> Trying to search on recommendations comes up with a lot of "use these settings to allow IE 6.0" which is of literally no. interest to me at all.
>> 
>> This is what I am looking at using:
>> 
>> Protocols h2 h2c http/1.1
>> SSLCipherSuite DEFAULT
>> SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
>> 
>> But I may relent on TLSv1/1.1 after checking logs.
>> 
>> I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow the older TLS and SSL that will provide ciphers and security that are supported by current browsers and if I allow TLSv1 it should support old browsers going back more than a decade, yes?
>> 
> 
> Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
> Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.

Right, and I am running the current version of OpenSSL which, for example, doesn't support SSLv3 or TLSv1.1.

> I believe running 'openssl ciphers'

Ad that shows ciphers for TLSv1.1 and SSLv3, which is why I am a tad confused.

> will list your openssl installation's default cipher list which I am assuming is what SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have to confirm that.
> 
> I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS as a decent starting point. Intermediate is usually a pretty good starting point for a public web server. Then watching for any cipher-based vulnerabilities that are announced or reported by any vulnerability testing you might have performed.

Thanks, I did not find that, I was diving in apache 2.4 examples that were 3+ years old.

It's impressive how much faster h2 is than http/1.1.

-- 
Bart, don't use the Touch of Death on your sister.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux