Hacker News new | comments | show | ask | jobs | submit login

The first tip for setting the cipher suite in Apache httpd is incomplete without:

    SSLHonorCipherOrder On
Without it, the client's preference is used, which may be a slower cipher in your list. You'll want to revise your SSLCipherSuite directive and there's nothing wrong with specifying individual ciphers instead of aliases when using such a short list.

You'll also want to monitor the effects of the change. Before you do anything, make sure you're logging SSL information with something like this:

      CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Collect some data for a few days, then update your cipher suite. In most cases, you'll probably want to see RC4-SHA (for now), since it's fast, widely supported and immune to BEAST attacks.

You're right, I forgot the honor cipher directive.

According to http://www.carbonwind.net/blog/post/A-quick-look-over-some-b... RC4+RSA is supported nearly everywhere, but it was not tested on mobile browsers.

As part of my researches on SSL tuning, I'll do a benchmark of all browsers, for cipher suites and TLS versions support.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact