2

I am using this SSL Conf:

SSLCipherSuite ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384

Please help! I am unable to find any solutions.

When I use ssllabs.com to check my website my cipher is always <100%. So, I heard that disabling 128 bit ciphers will get me to the full %. And I want to be as secure as possible.

1 Answers1

5

Instead of listing ALL and then removing what you don't want you could just list the accepted ciphersuites, e.g.

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384

Also, you shouldn't focus on getting A+ 100% on the SSL Labs test. There's no such thing as 100% security, but only security against a risk. What's your risk model? Focusing on tests might even give you false sense of security. The most useful part of the test starts after the grading. There, you can make a suitable compromise between security and compatibility. Are you willing to lose the visitors with older browsers that do not support any of your ciphersuites?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • What would be the most secure, and also allow most devices? –  Dec 26 '20 at 12:19
  • I've already linked my answer that discusses that exact question. [RFC 7525, 4.2](https://tools.ietf.org/html/rfc7525#section-4.2) is always a good start. – Esa Jokinen Dec 26 '20 at 12:21
  • Maybe I should stick with `SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES` –  Dec 26 '20 at 12:28
  • 1
    @Chi.C.J.RajeevaLochana See https://ssl-config.mozilla.org/ for continuously updated advice. – Michael Hampton Dec 26 '20 at 17:50
  • @MichaelHampton I have setup everything now. I have support for many devices. And I even have 100% on all in ssllabs. Thanks for all your help –  Dec 26 '20 at 17:52
  • @MichaelHampton: Good advice. I hadn't realized TLS 1.2 is now completely removed from their modern profile, which is good. – Esa Jokinen Dec 26 '20 at 18:53