SSLCipherSuite
Posted: Tue May 03, 2016 5:19 pm
The CA installation guide shows users how to import the CA root certificate into common browsers. From my experience, both IE and Chrome work as expected but Firefox is still complaining about the connection is not secure.
I then tried the SSLCipherSuite with different combinations in Apache 2.4 config and FireFox started to work!
Before (default values from Apache 2.4 build):
After:
Not working:
Working:
Not sure why it doesn't like "!SSLv3" or "-SSLv3" but that's the result I got from testing.
To keep it simple and strong enough, the SSLCipherSuite can be set as:
I then tried the SSLCipherSuite with different combinations in Apache 2.4 config and FireFox started to work!
Before (default values from Apache 2.4 build):
Code: Select all
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
Code: Select all
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
I tried a few more combinations and found FireFox doesn't like to see SSLv3 in SSLCipherSuite no matter what prefixes.excerpted from Apache mod_ssl module (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite) wrote: Available prefixes are:
none: add cipher to list
+: move matching ciphers to the current location in list
-: remove cipher from list (can be added later again)
!: kill cipher from list completely (can not be added later again)
Not working:
Code: Select all
SSLCipherSuite ALL:!SSLv3
SSLCipherSuite ALL:-SSLv3
SSLCipherSuite HIGH:MEDIUM:!SSLv3
SSLCipherSuite HIGH:MEDIUM:-SSLv3
Code: Select all
SSLCipherSuite ALL:
SSLCipherSuite HIGH:MEDIUM
SSLCipherSuite HIGH:MEDIUM:!kRSA
To keep it simple and strong enough, the SSLCipherSuite can be set as:
Code: Select all
SSLCipherSuite HIGH:MEDIUM
SSLProxyCipherSuite HIGH:MEDIUM