[Ach] Current bettercrypto.org cipher list (apache) and https://www.ssllabs.com/ssltest

Adi Kriegisch adi at kriegisch.at
Thu Nov 13 08:18:48 CET 2014


> just update my apache configuration to latest cipher list of bettercrypto.org and checked the server using https://www.ssllabs.com/ssltest
> I get a report: "The server does not support Forward Secrecy with the reference browsers."
> Beneath "Handshake simulation" most reference browsers show a "TLS_DHE_RSA..." cipher, following reference browsers do not use FS:
> Is there something missing in the cipher list?
Most probably your version of Apache (v2.2?) does not support elliptic
curves (ECDHE); therefor you won't get forward secrecy with IE (except for
IE11 on Windows 8 which supports DHE).
You may either have a look at the Debian projects version of Apache
(because they backported EC-Support to Apache 2.2) or (probably better) put
an nginx in front of Apache because only the very latest versions of Apache
support Diffie Hellman parameters stronger than 1024bit.

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141113/794c60f2/attachment.sig>

More information about the Ach mailing list