Finding a good cipher for your web server is not an easy task. openssl ciphers -v ALL:COMPLEMENTOFALL lists all the available ciphers on your system.
What we don’t want
- SSLv3 that is no longer secure.
- 128 bit encryption is too weak
- no encrytion cipther ;)
- DSS cipher for key auth
- DHE-RSA-AES256-SHA is no longer secure
- TLSv1 no longer secure
- PSK ( pre shared key) cipher
- CBC cipher because of the BEAST attack
- RSA because of FREAK and SMACK and ROBOT
- AESCCM it is also a Cipher Block Chaining (CBC)
That gives us:
openssl ciphers -v ALL:COMPLEMENTOFALL | grep -v "SSLv3" | grep -v "(128)" | grep -v "Enc=None" | \
grep -v "Au=DSS" | grep -v "DHE-RSA-AES256-SHA" | grep -v "TLSv1 " | grep -v "Au=PSK" | grep -v "Kx=RSAPSK" | \
grep -v "CAMELLIA" | grep -v "CBC" | grep -v "Au=RSA" | grep -v "Au=None" | grep -v "Enc=AESCCM"
now choose your poison.
SSL Tests like https://www.ssllabs.com/ssltest/index.html show a vulnerability against CRIME Attack. To overcome / defend that with apache you can turn off the SSL compression.
That makes it easy to defend it.
During the summer rumours about a new attack against SSL started circulating (CVE-2011-3389).
As it turns out, the attack itself was conceived years ago, deemed impractical, but it was nevertheless fixed in TLS 1.1. The new attack technique introduced a few optimizations to make it practical.
In terms of mitigation, I expect this problem will be largely addressed on the client side, despite a potential compatibility problem that may cause some TLS sites to stop working.
With this config you can avoid that attack.
SSLProtocol all -SSLv2
#NO Longer needed cause since IE 7 this works ;)
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
With OpenSSL 1.0.1 it must be