httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Mehler <dave.meh...@gmail.com>
Subject Re: [users@httpd] SSL cipher suites
Date Sun, 18 Feb 2018 21:58:25 GMT
Hi,

Thanks. Are these ciphers pfs friendly?

Thanks.
Dave.


On 2/18/18, Michael A. Peters <mpeters@domblogger.net> wrote:
> On 02/18/2018 09:00 AM, David Mehler wrote:
>> Hello,
>>
>> I'm looking for recommendations. I'm running apache 2.4 and Openssl
>> 1.0.2n. I'm looking for the strongest certificates that support
>> TLSV1.2 and PFS.
>>
>> Recommendations/pro/conns welcome.
>>
>> Thanks.
>> Dave.
>>
>
> For sites that don't need Tumblr to be able to scrape the OpenGraph data
> (Tumblr seems to use a buggy version of libcurl that doesn't tolerate
> ECDSA certs) I use the following:
>
> SSLCipherSuite "EECDH+CHACHA20 EECDH+AES256 -SHA"
>
> For sites that I need to be social media friendly, I use RSA cert with
> the following:
>
> SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384
> EECDH+AES+SHA256 EECDH+AES EDH+AES256 !EDH+AESGCM !EDH+SHA256
>
> Example of how SSL Labs sees ECDSA config:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=librelamp.com&latest
>
> Note that the "Android" browser in some versions of Android can't
> connect, that's because I use LibreSSL which no longer ships the
> deprecated preview version of ChaCha20 and Google, being one of the
> richest companies in the world, can't afford to update those versions of
> Android to use the stable ChaCha20 cipher suite.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message