On 4/21/2014 1:25 PM, Jochen Spieker <ml@well-adjusted.de> wrote:
I use these settings and receive good results: SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA' SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3
Thanks Jochen,One thing that has always confused me about apache config is where to put things like this - and esp[ecially in debian (I'm still learning my way around)...
Tha apache docs say to put this in httpd.conf - but debian doesn't use it, and apache2.conf doesn't show anything like these parameters either?
Do I need to put this in both: /etc/apache2/sites-available/default-ssl and /etc/apache2/sites-available/myhost.conf or just in default-ssl? Thanks again, and sorry for the noob questions...
AFAICT, it is not possible to be both resistant to BEAST attacks and have Perfect Forward Secrecy at the same time with wheezy's Apache. But since BEAST may be (and usually is) mitigated on the client side, I prefer PFS.Enable 'Strict-Transport-Security'I didn't know this one. You can add this line to any VirtualHost with a hostname that you only want to be accessed with SSL: Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" Do not use it if some parts of your site should be accessible without SSL.Enable 'SPDY'This is an extension to HTTP developed by Google. Some of its ideas will find their way into the next version of HTTP (2.0). You don't strictly need it and it does not improve security except by making SSL mandatory. J.