0 votes
I'm trying to get ssllabs to allow me to get higher then a C rating but the only way to do so is disable all SSL3 ciphers completely. While on our server it's fine to only have TLS 1.2 however on some clients that's a problem as blackberry doesn't support TLS 1.2 only TLS 1.0 or 1.1 so we can't use activesync.

I've looked into disabling weak ciphers but this doesn't seem to work at least not the ones I've tried. Has anyone got any good experience with ciphers and what would make ssllabs know I've disabled ssl3 but still have TLS 1.0, 1.1 & 1.2

current config on ssl.conf

SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

However only this will get me to A+ with enabling HSTS

Monday, November 16 2015, 02:53 PM
Share this post:
Responses (1)
  • Accepted Answer

    Wednesday, November 18 2015, 06:59 PM - #Permalink
    0 votes
    Hi James,

    This is what we shipped with ClearOS 7 (both webconfig and the Web Server app):

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    SSLHonorCipherOrder On

    I don't think this provided an A+ grade with SSL Labs, but it was close. It's always a balance between security and breaking stuff. In fact, we had to revert the SSLProtocol line just recently -- we're allowing SSLv3 again in webconfig... for now. We want to go back to disabling SSLv3 again in 7.2.

    SSLProtocol all -SSLv2 -TLSv1
    The reply is currently minimized Show
Your Reply