Ideal OpenSSL configuration for Apache and nginxFeeding the Cloud
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
https://feeding.cloud.geek.nz/posts/ideal-openssl-configuration-for-apache/Feeding the Cloudikiwiki2013-06-13T21:08:22Zhttps://feeding.cloud.geek.nz/posts/ideal-openssl-configuration-for-apache/comment_1_b414df4a269a341ab144cfcb4d8a1eb7/Anonymous2012-11-04T04:30:26Z2011-11-14T22:24:46Z
<p>RC4, while avoiding the attack-flavor-of-the-day, provides relatively weak security compared to other ciphers. Consider the various guides pointing out that "ssh -c arcfour" goes faster but at the expense of some security, and thus that you should not use it on insecure networks.</p>
<p>Instead, I'd suggest preferring TLSv1.2 and TLSv1.1, both of which address the BEAST attack and other problems. As far as I know, those already appear earlier in the preference list than TLSv1, though you should check that.</p>
https://feeding.cloud.geek.nz/posts/ideal-openssl-configuration-for-apache/comment_2_c2f11f533eb59672c5e710ca9215cf7d/François Marier2012-11-04T04:30:26Z2011-11-14T22:53:48Z
<p>@anonymous While it would be nice to be able to switch to TLS 1.2 or 1.1, browser support is not there yet so most clients would simply downgrade to TLS 1.0, hence the need to have a strong TLS 1.0 config.</p>
<p>Also, TLS 1.1 requires either a pretty recent version of OpenSSL (not yet in many popular distros) or the use of mod_gnutls.</p>
https://feeding.cloud.geek.nz/posts/ideal-openssl-configuration-for-apache/comment_3_5dde9d6fabdd6c577d17a5c20387bf1f/Dan2012-11-04T04:30:26Z2011-11-15T08:33:45Z
If you aim to be compatible to most browsers you can't use SNI as its incompatible with WinXP IE(all).
https://feeding.cloud.geek.nz/posts/ideal-openssl-configuration-for-apache/comment_4_e40c0bcc9e541c032efc5e3162dce47b/mirabilos2012-11-04T04:30:26Z2011-11-15T16:49:56Z
Thanks, your entries are now in the default configuration of MirBSD httpd <img alt=";-)" src="https://feeding.cloud.geek.nz/smileys/smile4.png" /> and also enabled on www.mirbsd.org and related servers.
https://feeding.cloud.geek.nz/posts/ideal-openssl-configuration-for-apache/comment_5_d642d515b193204a70a7adf3260db50d/François Marier2012-11-04T04:30:26Z2011-11-29T00:36:00Z
<p>Another factor to consider is perfect forward secrecy:</p>
<p>http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html<br />
http://www.imperialviolet.org/2011/11/22/forwardsecret.html</p>
RC4 is brokenhttps://feeding.cloud.geek.nz/posts/ideal-openssl-configuration-for-apache/comment_6_6cdc3ba875ab714afa3868c60fe1b42d/Леонид2013-06-13T21:08:22Z2013-06-12T14:57:44Z
http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html