It would be great if we could learn from what ssllabs has as their apache config for the ssl part, I'm interested in how to order ciphers and secure renegotiation among other things.
No worries, here they are: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
Here are the relevant directives:
# Disable SSLv2
SSLProtocol all -SSLv2
# Choose cipher suites
# Use only strong authentication and ciphers; prioritise RC4 to mitigate BEAST
By the way, we are currently working on a Best Practices for SSL Deployment document, which should tell you all you need to know to properly deploy SSL. It will be published during the RSA Conference in February next year.
Could you guide me how to order ciphers and secure renegotiation among other things for OpenSSL 1.0.1e , apache 2.4.4. Thanks in Advance.
I don't have much time to write it up, but the following configuration should work well (for both security and performance):
SSLProtocol all -SSLv2
SSLCipherSuite 'AESGCM:RC4:SHA384:SHA256:AES !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!kEDH:!PSK:!SRP:!kECDH'
Tested on the command line, but not in server configuration.
sorry for picking up on a rather old post here, but I was trying to minimize unnecessary doubles in your forum. I am struggeling to find a valid balance between porotcol security and browser backwards compatibilty while on the same time enabling a robust forward secrecy for as much browsers as possible.
Since I am basically aiming to "reverse engineer" ssllabs' own apache SSL configuration to use the same well-balanced setup for my server (and am failing in so many interesting new ways over and over again ). I figured that I could instead just ask if you would be so kind to update this post with the currenttly active Apache SSL setup of ssllabs.com ?
Though I have been learning a lot about SSL protocols, handshakes and cipher suites, I just can't seem to recreate that balance in my server's setup. So any help would be greatly appreciated!
Thanks and best regards from Germany,
Hi Ivan and first off thanks for picking up on the issue but I actually - sort of - made it (or more likely found a loophole in your rating mechanism)... Hahaha
Our site is still operating on Apache2.2.x and thus - as I learned - just not able to provide a "robust forward secrecy" for the Internet Explorer Family. Nevertheless I still finally got this banner displayed for our site by tricking your ssltest and I did this by kicking out any "first handhake solutions" for IE from our server's ssl setup.
It feels a little like cheating though, so you might want to reconsider your rating algorithm on that behalf.
You can replay my results here:
Cheers from Germany, cizko
No worries, you can only cheat yourself
Retrieving data ...