Hello:
SSL labs reduces their grade if the server does not support forward secrecy. They link to this on how to configure:
https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-depl...
---snip ---
Enabling forward secrecy can be done in two steps:
Configure your server to actively select the most desirable suite from the list offered by SSL clients. Put ECDHE and DHE suites to the top of your list. (The order is important; because ECDHE suites are faster, you want to use them whenever clients supports them.)
Knowing which suites to enable and move to the top can be tricky, because not all browsers (devices) support all forward secrecy suites. At this point you may want to look for inspiration from those who are already supporting forward secrecy, for example Google.
In the nutshell, these are some of the suites you might want to enable3 and push (close) to the top:
TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
---snip ---
I modified httpd.conf to include these ciphers like this:
SSLCipherSuite TLS_ECDHE_RSA_WITH_RC4_128_SHA: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: ECDH+AESGCM:DH+AESGCM:ECDH+AES256: DH+AES256:ECDH+AES128: DH+AES:ECDH+3DES:DH+3DES: RSA+AESGCM: RSA+AES:RSA+3DES: !aNULL:!MD5:!DSS
restarted httpd, and no change in the forward secrecy score. The TLS_ECDHE are not even in the list of cipher suites on the ssllabs report.
CentOS Linux 6.5 Linux 2.6.32-358.0.1.el6.x86_64 on x86_64 Virtualmin version 4.08.gpl GPL httpd Apache HTTP Server Running latest 2.2.15-29.el6.vm.1 Virtualmin
Any ideas?
Thanks,
Bill56
modified for clarity
Did you got it working?
has this been resolved? what do i need to do to fix this so https://www.ssllabs.com does not report this?
I believe this is what fixed it. In httpd.conf:
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC DH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
Hi
Is this possible to be set on a more general level so you don't have to edit each individual virtual servers within the httpd.conf file? UPDATE : Found it in the httpd.conf file, just need to add it before the virtual servers :)
Secondly, if you want an A+ on SSLLABS you need to add the following
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Requires Apache >= 2.4SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Thanks bill56 for the fix, i haven't ventured on to the A+ settings from -eclipse- but will do when i have time...
So +1 for having this in the Virtualmin SSL Options panel one day (for me the SSLv2 and SSLv3 checkboxes show still as unchecked with "SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1" in the config file) and as a default for new servers? If it's not already...
jonny
modified ??
Relax