This is not a post talking about the whys and wherefores of the settings below; nor is it mean to be a discussion of SSL security in general - just a quick reference guide to setting SSL responses in different web servers & OSes. This post will be edited as I find the need to configure different servers and software.
Apache on Linux:
Edit /etc/httpd/conf.d/ssl.conf (on RHEL6; other OSes move this file around).Comment out the current SSL settings:
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#SSLProtocol all -SSLv2
Add settings:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
SSLHonorCipherOrder on
# This next one cuts out IE6 on WinXP (good riddance)
SSLProtocol all -SSLv2 -SSLv3
Note/update, Oct 2014: The advice in this post predates the POODLE SSL attack, but already disabled SSLv3 anyway, so the recommendations have not needed updating in light of recent SSL attacks - it is still fully valid advice.
That last one also cuts out some versions of Firefox (but again who cares)
ReplyDeleteSorry, I did know that once (when I first researched this topic), but didn't care about those too-old versions so much that I chose to forget. :)
DeleteThanks for the reminder/addition/clarification.