[CentOS] Apache and SSLv3

Mon Jan 26 17:25:40 UTC 2015
Paul Heinlein <heinlein at madboa.com>

On Mon, 26 Jan 2015, Alessandro Baggi wrote:

> Hi list,
> I'm configuring apache with https and I've a question about sslv3 
> deactivation.
>
> Running "openssl ciphers -v" I get a list of cypher suite of openssl like:
>
> ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) 
> Mac=AEAD
> .........
>
>
> Each  lines report relative protocol.
>
> Disabling sslv3 with "SSLProtocol all -SSLv3"  I can use cypher like:
>
> ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
>
> that has protocol SSLv3?
>
> Disabling SSLv3 protocol, apache will use only TLSv1.2 cypher protocol?

Unless you're running a site that strictly controls the clients that 
access it (e.g., corporate intranet), limiting Apache to TLS 1.2 will 
probably keep some people away since not all widely used browsers 
support it yet.

Here's what I do (Apache 2.4)

   SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!MD5:!ADH:!EXP
   SSLHonorCipherOrder on
   SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1

I'd love to disable TLSv1 and 1.1, but the accessibility trade-offs 
are too much for me.

-- 
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W