Problems with the SSLCipherSuite for internet explorer

Question

This SSL settings are set for my Apache server:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Last time i changed the SSLCipherSuite to prevent the Poodle attack (removed SSL3 support) but now i have a problem with Internet Explorer.

There is no way to find the best and actual CipherSuite settings on Google. I searched and tried different settings for hours.

I use Qualys SSL Labs to test the settings and i nou i receive an 'A' grade: https://www.ssllabs.com/ssltest/analyze.html?d=allesonlinekopen.nl

But there is a problem:

Bing webmaster console give me the error: "Web Exception Status: SecureChannelFailure"

When i look at the SSL Report from Qualys ssl labs it show's fails in the handshake simulation for all microsoft related programs:

BingBot Dec 2013   No SNI 2     Protocol or cipher suite mismatch   Fail3
IE 6 / XP   No FS 1   No SNI 2  Protocol or cipher suite mismatch   Fail3
IE 7 / Vista                    Protocol or cipher suite mismatch   Fail3
IE 8 / XP   No FS 1   No SNI 2  Protocol or cipher suite mismatch   Fail3
IE 8-10 / Win 7  R              Protocol or cipher suite mismatch   Fail3
IE 11 / Win 7  R                Protocol or cipher suite mismatch   Fail3
IE Mobile 10 / Win Phone 8.0    Protocol or cipher suite mismatch   Fail3
IE Mobile 11 / Win Phone 8.1    Protocol or cipher suite mismatch   Fail3

Only IE 11 with win 10 and win 8.1 are working because the support TLS 1.2.

How can i fix this problem and give Bingbot and some older computers with IE8+ access to my site without SSL waring?

It is also fine whin i receive 'A-' grade on Qualys SSL labs.

score 1 · Answer 1 · answered Feb 04 '15 at 21:59

I found this ciphersuite generator from Mozilla: https://mozilla.github.io/server-side-tls/ssl-config-generator/

From that generator i used the Apache Intermediate config and now the problems are solved. The best Chiphersuite to support Internet Explorer would be:

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on

The only problem is, i now receive grade A- from Qualys SSL Labs, but it is working.

score 0 · Answer 2 · answered Jul 18 '15 at 16:00

I just ran into your question and want to answer your question using the following config:

SSLEngine on
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

you also need to add some config to your Apache vhost file the following:

<VirtualHost *:443>
    # HTTPS for 1 Year including Sub Domains 
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

last, you need to generate dhparam certificate in this path: /etc/ssl/certs

you can use the following command line to generate one:

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

it may take some time so be patient and if done, add it to your Apache config like this:

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

restart your Apache server and then check your CA at SSL Labs site.

score 0 · Answer 3 · answered Aug 25 '15 at 13:36

I get an A+-Rating with the following cipher-suite:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;

This also implies a robust forward secrecy on SSL Labs.

Problems with the SSLCipherSuite for internet explorer

3 Answers3