logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: https SLL parameters
Author
Otomatic



Joined: 01 Sep 2011
Posts: 83
Location: Paris, France, EU

PostPosted: Mon 21 Mar '22 13:02    Post subject: https SLL parameters Reply with quote

Hi,

To be able to use and test local sites in https mode, I use, among others, the following settings:
Code:
# SSL Cipher Suite:
SSLCipherSuite HIGH:!RSA:!RC4:!3DES:!DES:!IDEA:!MD5:!aNULL:!eNULL:!EXP
# Encryptions TLSv1.3
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384

SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets on
# SSL Protocol support:
SSLProtocol -all +TLSv1.2 +TLSv1.3
# Pass Phrase Dialog:
SSLPassPhraseDialog builtin

It works well, but there may be some missing or extra things.

Thank you for your comments.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7118
Location: Germany, Next to Hamburg

PostPosted: Tue 22 Mar '22 15:11    Post subject: Reply with quote

I would define the TLS 1.2 ciphers by name.

SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384

and I wonder why you let the client choose 128 bit over 256 if it doesn't do POLY1305/CHACHA20.
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 83
Location: Paris, France, EU

PostPosted: Tue 22 Mar '22 15:51    Post subject: Reply with quote

James Blond wrote:
and I wonder why you let the client choose 128 bit over 256 if it doesn't do POLY1305/CHACHA20.

Probably because I have - as they say at home - mixed up my pencils with the results of openssl ciphers -v

Merci.

So here is the final:
Code:
# SSL Cipher Suite:
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
# Encryptions TLSv1.3
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7118
Location: Germany, Next to Hamburg

PostPosted: Wed 23 Mar '22 9:53    Post subject: Reply with quote

My current config

Code:

<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000; preload"
    </IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1
Back to top


Reply to topic   Topic: https SLL parameters View previous topic :: View next topic
Post new topic   Forum Index -> Apache