[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Recommended HKPS protocols & ciphersuites?
|
From: |
David Benfell |
|
Subject: |
Re: [Sks-devel] Recommended HKPS protocols & ciphersuites? |
|
Date: |
Sun, 3 Aug 2014 13:55:19 -0700 |
|
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Sun, Aug 03, 2014 at 09:29:49PM +0200, Pete Stephenson wrote:
> Hi all,
>
> For those running HKPS-enabled servers in the pool, what protocols and
> ciphersuites do you use?
>
> I'd hope that it'd be safe these days to disable SSLv2. How about SSLv3?
> RC4?
>
> I'd like to provide a reasonable fallback to older clients that don't
> support modern ciphers, but without jeopardizing the security of modern
> clients that do.
>
Here is my incantation for Apache (I think this will work in both 2.2
and 2.4, but I don't remember). It gets me an A+ rating on the Qualys
SSL test:
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.2
SSLCipherSuite
EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:HIGH:!MEDIUM:!LOW:!SSLv2:!aNULL:!PSK:SSLv3:!3DES
SSLHonorCipherOrder on
SSLCompression Off
SSLInsecureRenegotiation off
SSLOptions StdEnvVars
Header add Strict-Transport-Security: "max-age=15768000"
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
However, I have been mean about some older clients. I don't care about
Yandex, for example, and don't know why they don't update their SSL
capabilities.
--
David Benfell <address@hidden>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.
pgpMcM64HmFaG.pgp
Description: PGP signature