Updated SSLCipherSuite String

Chrome has been complaining “Your connection to website is encrypted with obsolete cryptography”.  I made a change to my SSLCipherSuite string located at /etc/apache2/mods-available/ssl.conf to fix this.
 

Chrome would like you to be using anything with a higher hash than SHA1 and using GCM instead of CBC suites.[1]  For a simple fix, we can move the one Chrome currently prefers to the top of the list:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDH+HIGH:EDH+HIGH:-3DES:DES-CBC3-SHA:!CAMELLIA:!MD5:!aNULL

This will be fine until Chrome (and other browsers) support AES256-GCM-SHA384. If you don’t mind a longer string and would like to future-proof now, you can change your string to:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDH+HIGH:EDH+HIGH:-3DES:DES-CBC3-SHA:!CAMELLIA:!MD5:!aNULL

Make sure you have SSLHonorCipherOrder set to on:

SSLHonorCipherOrder on

References:
[1] http://security.stackexchange.com/a/83891

Leave a Reply

Your email address will not be published. Required fields are marked *