httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abernathy, Don" <DAberna...@MFS.com>
Subject [users@httpd] RE: Enabling Forward secrecy on SSL
Date Thu, 30 Mar 2017 12:07:19 GMT
Most common way we did this was in the Virtual host directive for the SSL side of the site,
was to declare what is and is not allowed.
Plenty of docs on this out there but here is ours:


SSLEnable
SSLProtocolDisable SSLv2 SSLv3
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
SSLClientAuth 0

[cid:image003.jpg@01D2A92C.A6E3D550]

Don Abernathy
Group Manager- Web Services
T: 617-954-4127
MFS Investment Management
111 Huntington Ave, Boston, MA 02199



From: Chunduru, Krishnachaithanya [mailto:Krishnachaithanya.Chunduru@broadridge.com]
Sent: Friday, March 17, 2017 10:37 AM
To: users@httpd.apache.org
Subject: [users@httpd] Enabling Forward secrecy on SSL

Hi All,

Can someone advise me on how to achieve the below on a server running with Apache SSL enabled.


*         SSL - Supports Weak Encryption  The following protocols should be switched on -
TLS 1.2, TLS 1.1, TLS 1.0. SSL 3 and SSL 2 should be disabled.

*         Weak Configuration - SSL/TLS - Deprecated Protocol: Disable the use of SSL 2.0 and
3.0 as well as TLS 1.0. Use TLS 1.1, 1.2, or later and set the latest protocol as preferred.

*         The Server Does Not Support Forward Secrecy :

Regards,
Krishna


This message and any attachments are intended only for the use of the addressee and may contain
information that is privileged and confidential. If the reader of the message is not the intended
recipient or an authorized representative of the intended recipient, you are hereby notified
that any dissemination of this communication is strictly prohibited. If you have received
this communication in error, please notify us immediately by e-mail and delete the message
and any attachments from your system.

MFS Email system made the following annotation
---------------------------------------------------------------------------------------------------------------------------------------
This email communication and any attachments may contain proprietary, confidential, or privileged
information. If you are not the intended recipient, you are hereby notified that you have
received this email in error and that any review, disclosure, dissemination, distribution
or copying of it or its contents is prohibited. The sender does not waive confidentiality
or any privilege by mistransmission. If you have received this email in error, please notify
the sender immediately, delete this email, and destroy all copies and any attachments.

Mime
View raw message