[Ach] SSL for limited user groups

Hanno Böck hanno at hboeck.de
Thu Jan 1 17:56:46 CET 2015


On Thu, 01 Jan 2015 17:44:32 +0100
"Robert M. Albrecht" <lists at romal.org> wrote:

> exactly my point, easy to make errors for non-crypto-experts:
> 
> SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH
> -CAMELLIA !AES128
> -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
> 
> is more reasonable ?

This will disable all aes128-ciphers. There is hardly a reason to
believe aes256 is more secure than aes128. And mainstream browsers
(chrome+firefox) don't support aes256+gcm.

I had to play a bit to get a string that will give you the gcm-fs-only,
but this one should do:
AESGCM:!RSA:!DSS:!ADH:!aECDH

(and yes, it's really a pity how complicated this cipher string business
is...)

Of course you should also make sure some other things are in good
shape, e.g. enable hsts, hpkp, ocsp stapling and make sure if you want
to use DH exchanges that they're >=2048 bit.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150101/3a2543b5/attachment.sig>


More information about the Ach mailing list