On Mon, 26 Jan 2015, Alessandro Baggi wrote:

Hi list, I'm configuring apache with https and I've a question about sslv3 deactivation.

Running "openssl ciphers -v" I get a list of cypher suite of openssl like:

ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD .........

Each lines report relative protocol.

Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like:

ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1

that has protocol SSLv3?

Disabling SSLv3 protocol, apache will use only TLSv1.2 cypher protocol?

Unless you're running a site that strictly controls the clients that access it (e.g., corporate intranet), limiting Apache to TLS 1.2 will probably keep some people away since not all widely used browsers support it yet.

Here's what I do (Apache 2.4)

SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!MD5:!ADH:!EXP SSLHonorCipherOrder on SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1

I'd love to disable TLSv1 and 1.1, but the accessibility trade-offs are too much for me.