Author |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7298 Location: Germany, Next to Hamburg
|
Posted: Tue 29 Nov '16 16:43 Post subject: |
|
|
The bad boys in the apache config
Code: |
DHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA
|
The closed I came to a 256 bit with h2 result is:
Code: |
Listen 443
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>
ProtocolsHonorOrder On
Protocols h2c h2 http/1.1
SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256
|
But then Android < 7 is out of the race. Also IE 10 and smaller is out. Also some "older" Firefox versions can't connect |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1248 Location: Amsterdam, NL, EU
|
Posted: Thu 01 Dec '16 13:36 Post subject: |
|
|
James Blond wrote: | But then Android < 7 is out of the race. Also IE 10 and smaller is out. Also some "older" Firefox versions can't connect |
Do you have this running somewhere? I could try with Firefox 47 on Windows 7. See https://github.com/icing/mod_h2/issues/121#issuecomment-263092561
The SSLlabs test is not always informative enough. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7298 Location: Germany, Next to Hamburg
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7298 Location: Germany, Next to Hamburg
|
Posted: Thu 01 Dec '16 14:21 Post subject: |
|
|
I wonder why the POLY ciphers have been renamed...
I changed the config and it look better know
Code: | SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ADH-AES256-GCM-SHA384 |
|
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1248 Location: Amsterdam, NL, EU
|
Posted: Thu 01 Dec '16 14:29 Post subject: |
|
|
Firefox 47.0 on Win7:
Quote: | Your connection is not secure
The owner of mr-burns.apachehaus.de has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. |
Edit: FF 47.0 still works OK on https://fips.sessiondatabase.net/
using ECDHE-RSA-AES256-SHA = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7298 Location: Germany, Next to Hamburg
|
Posted: Thu 01 Dec '16 15:46 Post subject: |
|
|
You can't use that cipher with HTTP/2. It is a blacklisted suite. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1248 Location: Amsterdam, NL, EU
|
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1248 Location: Amsterdam, NL, EU
|
Posted: Fri 02 Dec '16 0:06 Post subject: |
|
|
And Chrome 49 on XP/SP3 also connects over http/1.1 using ECDHE-RSA-AES256-SHA. As a comparison, on https://ie8xp.sessiondatabase.net it uses http/2.0 with the 128-bits ECDHE-RSA-AES128-GCM-SHA256. |
|
Back to top |
|