Hacker Newsnew | comments | ask | jobs | submitlogin
jackalope 450 days ago | link | parent

The first tip for setting the cipher suite in Apache httpd is incomplete without:

    SSLHonorCipherOrder On
Without it, the client's preference is used, which may be a slower cipher in your list. You'll want to revise your SSLCipherSuite directive and there's nothing wrong with specifying individual ciphers instead of aliases when using such a short list.

You'll also want to monitor the effects of the change. Before you do anything, make sure you're logging SSL information with something like this:

      CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Collect some data for a few days, then update your cipher suite. In most cases, you'll probably want to see RC4-SHA (for now), since it's fast, widely supported and immune to BEAST attacks.

geal 450 days ago | link

You're right, I forgot the honor cipher directive.

According to http://www.carbonwind.net/blog/post/A-quick-look-over-some-b... RC4+RSA is supported nearly everywhere, but it was not tested on mobile browsers.

As part of my researches on SSL tuning, I'll do a benchmark of all browsers, for cipher suites and TLS versions support.


Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library