Skip to content


Choosing the right order for SSLCipherSuite

Sorry for the lack of sources and explanations, but this is mainly just a backup of my current Apache HTTPd config file, for the part relative to the SSL virtual host. Usually I check and update it with the advice from the automated tests from SSL Labs. More details to build this file and the certificates that go with it are in this previous post.

<VirtualHost *:443>
   ServerName catchall.example.com
   ServerAlias *.example.com
   ServerAlias example.com
   DocumentRoot "/home/example/sd/nowww/"
   SSLEngine on
   SSLProtocol all -SSLv2
   #SSLProtocol -ALL +SSLv3 +TLSv1
   SSLHonorCipherOrder On
   SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
   # SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
   # bad options: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /var/certs/www_example_com.crt
   SSLCertificateKeyFile /var/certs/www_example_com_Priv.key
   SSLCertificateChainFile /var/certs/www_example_com.ca-bundle
   #SSLCACertificateFile /var/certs/ca.pem
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Directory "/home/example/sd/nowww/">
allow from all
Options -Indexes
</Directory>
</VirtualHost>

Posted in servers, web development.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA