[Ach] Disabling anonymous ciphers

Christian Rishøj christian at rishoj.net
Mon Jan 6 12:12:10 CET 2014


Using the SSLCipherSuite and SSLProtocol directives from https://github.com/BetterCrypto/duraconf/blob/master/configs/apache2/https-hsts.conf, my Apache server scores "F" on https://www.ssllabs.com/ssltest/analyze.html, with the reason

> This server supports anonymous (insecure) suites (see below for details). Grade set to F.

The anonymous ciphers are:

	TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   

	TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   

	TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   

	TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   

Did I screw up? If not, I think the guide could use either a correction or an explanation. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140106/ffc26df4/attachment.sig>

More information about the Ach mailing list