Issue
SSL3 Ciphers
I'm trying to get ssllabs to allow me to get higher then a C rating but the only way to do so is disable all SSL3 ciphers completely. While on our server it's fine to only have TLS 1.2 however on some clients that's a problem as blackberry doesn't support TLS 1.2 only TLS 1.0 or 1.1 so we can't use activesync.
I've looked into disabling weak ciphers but this doesn't seem to work at least not the ones I've tried. Has anyone got any good experience with ciphers and what would make ssllabs know I've disabled ssl3 but still have TLS 1.0, 1.1 & 1.2
current config on ssl.conf
However only this will get me to A+ with enabling HSTS
I've looked into disabling weak ciphers but this doesn't seem to work at least not the ones I've tried. Has anyone got any good experience with ciphers and what would make ssllabs know I've disabled ssl3 but still have TLS 1.0, 1.1 & 1.2
current config on ssl.conf
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
However only this will get me to A+ with enabling HSTS
SSLCipherSuite ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH
In Web Server
Share this post:
Responses (1)
-
Accepted Answer
Hi James,
This is what we shipped with ClearOS 7 (both webconfig and the Web Server app):
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
I don't think this provided an A+ grade with SSL Labs, but it was close. It's always a balance between security and breaking stuff. In fact, we had to revert the SSLProtocol line just recently -- we're allowing SSLv3 again in webconfig... for now. We want to go back to disabling SSLv3 again in 7.2.
SSLProtocol all -SSLv2 -TLSv1
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »