http/2.0 sslciphersuites with 256 bit alias crypto wars part seven meeting Canada

Some weeks ago canada released a document for offical / public websites. No longer is TLS 1.0 nor TLS 1.1 allowed, but TLS 1.2 and TLS 1.3

Until this writing apache does not support TLS 1.3 yet, but it will come soon. This is because Apache does not work 100% with OpenSSL 1.1.1 yet. Soon it will do.

This brings an updated SSL config for apache webserver

 

<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1

H2Direct On

Some old clients including older Android versions are not longer supported, unless you install a newer browser like current Firefox.

http/2.0 sslciphersuites with 256 bit alias crypto wars part six meeting HIPPA

The chosen SSL Config was very good! But for I client I had to meet the specs from PCI DSS[1], HIPAA[2] and NIST[3].
The server already was PCI DSS ready. However since there are medical data it had to meet HIPAA too.

It turned out that HIPAA does not allow the nice CHACHA20-POLY1305 ciphers and I had to enable SSLStaplingCache that I turned of when I used StartSSL Certs cause of the timeout / outage from the response server from start ssl.

<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15553000; preload"
    </IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1

H2Direct On

I still get an A+ on ssllabs plus all green lights on htbridge ssl test.

[1] Payment Card Industry Data Security Standard
[2] Health Insurance Portability and Accountability Act
[3] National Institute of Standards and Technology

Posts Tagged PCI

Archives by Month: