[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Recommended HKPS protocols & ciphersuites?

From: David Benfell
Subject: Re: [Sks-devel] Recommended HKPS protocols & ciphersuites?
Date: Sun, 3 Aug 2014 13:55:19 -0700
User-agent: Mutt/1.5.23 (2014-03-12)

On Sun, Aug 03, 2014 at 09:29:49PM +0200, Pete Stephenson wrote:
> Hi all,
> For those running HKPS-enabled servers in the pool, what protocols and
> ciphersuites do you use?
> I'd hope that it'd be safe these days to disable SSLv2. How about SSLv3?
> RC4?
> I'd like to provide a reasonable fallback to older clients that don't
> support modern ciphers, but without jeopardizing the security of modern
> clients that do.
Here is my incantation for Apache (I think this will work in both 2.2
and 2.4, but I don't remember). It gets me an A+ rating on the Qualys
SSL test:

        SSLEngine on

        SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.2
        SSLHonorCipherOrder on
        SSLCompression Off
        SSLInsecureRenegotiation off
        SSLOptions StdEnvVars
        Header add Strict-Transport-Security: "max-age=15768000"

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

However, I have been mean about some older clients. I don't care about
Yandex, for example, and don't know why they don't update their SSL

David Benfell <address@hidden>
See if you don't understand the

Attachment: pgpMcM64HmFaG.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]