So, to block the support of DH Export, it is enough to change or specify a "Ciphers" setting:
ListenHTTPS
...
...
Ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
End
However, to be absolutely on the safe side, I'd recommend to compile your own binary with 2048 bit long DH params (the default ones are "just" 1024 bit anyway).
Luckily the steps are quite simple and straight forward:
- wget http://www.apsis.ch/pound/Pound-2.7.tgz
- tar -xzf Pound-2.7.tgz
- cd Pound-2.7
- ./configure --with-dh=2048 --prefix= --exec_prefix=/usr
- make
- make install
Also consider adding "Disable SSLv3" (just above Ciphers) to disable SSL3 which is considered insecure.
Using all this will give you a solid A- on https://www.ssllabs.com/ssltest/analyze.html
No comments:
Post a Comment