[openssl-users] ciphers

Viktor Dukhovni openssl-users at dukhovni.org
Wed Feb 17 07:15:03 UTC 2016

On Wed, Feb 17, 2016 at 07:43:32AM +0100, mlrx wrote:

> >> # Apache 2.4
> >>                          !aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!RC4:!DSS: \
> >>                          !PSK:!SRP:!kECDH:!CAMELLIA:!IDEA:!SEED

This setting is a horrible mess, whichever site recommended this,
never listen to anything they recommend again.  I sure hope Apache
provides a more sensible default, but if you must, try one of:


The first one gives you the RFC7525 ciphers, the second allows
non-AEAD ciphers, and the third also non-PFS ciphers.  Which is
best for you depends on what clients you need to interoperate with.

You'll want a 2048-bit RSA key, secp384r1 or secp256r1 for an EECDH
curve, and DH parameters based on a 2048-bit EDH safe prime.

This answers one possible question about your configuration.


More information about the openssl-users mailing list