paul-w
Verified User
Hi
I updated DA today to the latest 1.48.3 and Apache to 2.4.16 using custombuild.
I got this message when I upgraded:
When I test my server at https://www.ssllabs.com/ssltest I get:
This server uses RC4 with modern browsers. Grade capped to C.
The explanation is here:
https://community.qualys.com/blogs/securitylabs/2015/04/23/ssl-labs-rc4-deprecation-plan
Is there a reason not to disable RC4 other than supporting old browsers?
If I change /etc/httpd/conf/extra/httpd-ssl.conf to:
SSLCipherSuite HIGH:!ADH
My server gets an A rating from ssllabs.com
I'm prepared to take my chances with stopping support for older browsers. Any other reasons why I shouldn't make this change?
I updated DA today to the latest 1.48.3 and Apache to 2.4.16 using custombuild.
I got this message when I upgraded:
Old hat, I know.Found ssl_cipher to be "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (likely put there to address the Poodle SSLv3 exploit).
The update has automatically swapped it to ssl_cipher=HIGH:!aNULL:!MD5, as -SSLv3 is no longer needed with these binaries.
This is to allow TLSv1.0 and TLSv1.1 again, since disabling the SSLv3 cipher prevented them from working, affecting older browsers that don't support TLSv1.2
When I test my server at https://www.ssllabs.com/ssltest I get:
This server uses RC4 with modern browsers. Grade capped to C.
The explanation is here:
https://community.qualys.com/blogs/securitylabs/2015/04/23/ssl-labs-rc4-deprecation-plan
Is there a reason not to disable RC4 other than supporting old browsers?
If I change /etc/httpd/conf/extra/httpd-ssl.conf to:
SSLCipherSuite HIGH:!ADH
My server gets an A rating from ssllabs.com
I'm prepared to take my chances with stopping support for older browsers. Any other reasons why I shouldn't make this change?