SSL3 Ciphers

Forums

Add a reply View Replies (1) →

James Joseph

Offline

Issue

SSL3 Ciphers

Resolved

0 votes

I'm trying to get ssllabs to allow me to get higher then a C rating but the only way to do so is disable all SSL3 ciphers completely. While on our server it's fine to only have TLS 1.2 however on some clients that's a problem as blackberry doesn't support TLS 1.2 only TLS 1.0 or 1.1 so we can't use activesync.

I've looked into disabling weak ciphers but this doesn't seem to work at least not the ones I've tried. Has anyone got any good experience with ciphers and what would make ssllabs know I've disabled ssl3 but still have TLS 1.0, 1.1 & 1.2

current config on ssl.conf



SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH  !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

However only this will get me to A+ with enabling HSTS



SSLCipherSuite ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH

In Web Server

Monday, November 16 2015, 02:53 PM

Share this post:

Responses (1)

Accepted Answer
Legacy Disabled

Offline
Wednesday, November 18 2015, 06:59 PM - #Permalink
Resolved

0 votes

Hi James,

This is what we shipped with ClearOS 7 (both webconfig and the Web Server app):

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

I don't think this provided an A+ grade with SSL Labs, but it was close. It's always a balance between security and breaking stuff. In fact, we had to revert the SSLProtocol line just recently -- we're allowing SSLv3 again in webconfig... for now. We want to go back to disabling SSLv3 again in 7.2.

SSLProtocol all -SSLv2 -TLSv1
The reply is currently minimized Show