Please consider upgrading the default SSL vhost to Mozilla intermediate (TLS 1.2+): --- 00_default_ssl_vhost.conf.virgin 2020-01-16 12:23:58.640846438 +0000 +++ 00_default_ssl_vhost.conf 2020-06-12 13:30:46.388679295 +0000 @@ -24,19 +24,19 @@ ## SSLProtocol: # Don't use SSLv2 anymore as it's considered to be broken security-wise. # Also disable SSLv3 as most modern browsers are capable of TLS. - SSLProtocol ALL -SSLv2 -SSLv3 + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 ## SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # This list of ciphers is recommended by mozilla and was stripped off # its RC4 ciphers. (bug #506924) - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ## SSLHonorCipherOrder: # Prefer the server's cipher preference order as the client may have a # weak default order. - SSLHonorCipherOrder On + SSLHonorCipherOrder Off ## Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If the certificate
Ping
(In reply to Tomáš Mózes from comment #0) > ## SSLHonorCipherOrder: > # Prefer the server's cipher preference order as the client may have > a > # weak default order. > - SSLHonorCipherOrder On > + SSLHonorCipherOrder Off > > ## Server Certificate: > # Point SSLCertificateFile at a PEM encoded certificate. If the > certificate Why do you flip this one?
(In reply to Lars Wendler (Polynomial-C) from comment #2) > (In reply to Tomáš Mózes from comment #0) > > ## SSLHonorCipherOrder: > > # Prefer the server's cipher preference order as the client may have > > a > > # weak default order. > > - SSLHonorCipherOrder On > > + SSLHonorCipherOrder Off > > > > ## Server Certificate: > > # Point SSLCertificateFile at a PEM encoded certificate. If the > > certificate > > Why do you flip this one? By default it's disabled https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder And also here https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 Seems like it's only enabled for "old" mozilla ssl profile (not for intermediate nor modern).
It is better to let the client choose the cipher based on its capabilities, for example because the client doesn't have AES hardware capabilities and CHACHA20 may be a better choice. This should only be done when all ciphers are considered strong enough, but that is the case with this patch. I'm wondering if we should keep the DHE-* ciphers at all. They don't add any additional value (since the ECDHE-* ciphers will be used in most cases) and the DH part is beginning to be suspect and starting to pop up in reports now.
Our default configuration matches mozilla-old configuration suggestions, if there is no strong reason we should upgrade to something more up to date. I believe mozilla's intermediate level is a good start.
