SSLCipherSuite

Post by **cah** » Tue May 03, 2016 5:19 pm

The CA installation guide shows users how to import the CA root certificate into common browsers. From my experience, both IE and Chrome work as expected but Firefox is still complaining about the connection is not secure.

I then tried the SSLCipherSuite with different combinations in Apache 2.4 config and FireFox started to work!
Before (default values from Apache 2.4 build):

Code: Select all

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

After:

Code: Select all

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

excerpted from Apache mod_ssl module (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite) wrote: Available prefixes are:

none: add cipher to list
+: move matching ciphers to the current location in list
-: remove cipher from list (can be added later again)
!: kill cipher from list completely (can not be added later again)

I tried a few more combinations and found FireFox doesn't like to see SSLv3 in SSLCipherSuite no matter what prefixes.

Not working:

Code: Select all

SSLCipherSuite ALL:!SSLv3
SSLCipherSuite ALL:-SSLv3
SSLCipherSuite HIGH:MEDIUM:!SSLv3
SSLCipherSuite HIGH:MEDIUM:-SSLv3

Working:

Code: Select all

SSLCipherSuite ALL:
SSLCipherSuite HIGH:MEDIUM
SSLCipherSuite HIGH:MEDIUM:!kRSA

Not sure why it doesn't like "!SSLv3" or "-SSLv3" but that's the result I got from testing.

To keep it simple and strong enough, the SSLCipherSuite can be set as:

Code: Select all

SSLCipherSuite HIGH:MEDIUM
SSLProxyCipherSuite HIGH:MEDIUM