Arieh
08-18-2010, 05:13 PM
A friend of mine pointed out that my ssl website wasn't fully secure because it was accepting low Cipher Suites, 128 and lower. I ran some ssl tester on my domain and it also came with the suggestion to change this.
What I first tried is changing the SSLCipherSuite setting in /etc/httpd/conf/extra/httpd-ssl.conf, but that didn't seem to have effect on the other virtual hosts (as explained here http://www.directadmin.com/forum/showthread.php?p=180572#10).
So if you don't want to accept (most) 128bit and lower, and be secure and cool you could change the existing SSLCipherSuite, and also add it to the bottom of /etc/httpd/conf/extra/httpd-ssl.conf:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Giving me a score of 88 at https://www.ssllabs.com/ssldb/index.html
What I first tried is changing the SSLCipherSuite setting in /etc/httpd/conf/extra/httpd-ssl.conf, but that didn't seem to have effect on the other virtual hosts (as explained here http://www.directadmin.com/forum/showthread.php?p=180572#10).
So if you don't want to accept (most) 128bit and lower, and be secure and cool you could change the existing SSLCipherSuite, and also add it to the bottom of /etc/httpd/conf/extra/httpd-ssl.conf:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Giving me a score of 88 at https://www.ssllabs.com/ssldb/index.html