Ssl – Apache SSL FS disable SHA1

apache-2.2Securityssl

I am using apache 2.2.15 and are about to make it as secure as possible.
When I do a scan of one of my websites via the Qualys SSL Test.
https://www.ssllabs.com/ssltest/analyze.html

It lists me the following cipher suits:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256

I somehow want to get rid of the thid line with _SHA, because this should be covered by the above line (2nd) with _SHA384.

I have the following vhost configuration:

SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite EECDH+AES256GCM:AES256+EECDH

How should I change SSLCipherSuite to get rid of the last _SHA line?

Best Answer

Don't bother.

See Why is HMAC-SHA1 still considered secure?

Don't confuse the use of SHA1 as a certificate-signing algorithm (which is insecure) with the use of SHA1 in a cipher suite's HMAC.

Related Solutions

Ssl – Apache ProxyPass with SSL

You'll need mod_ssl, mod_proxy and optionally mod_rewrite. Depending on your distribution and Apache version you may have to check if mod_proxy_connect and mod_proxy_http are loaded as well.

The directives for enabling SSL proxy support are in mod_ssl:

<VirtualHost 1.2.3.4:80>
    ServerName foo.com
    SSLProxyEngine On
    SSLProxyCheckPeerCN on
    SSLProxyCheckPeerExpire on
    ProxyPass / https://secure.bar.com
    ProxyPassReverse / https://secure.bar.com
</VirtualHost>

IIRC you can also use:

    RewriteRule / https://secure.bar.com [P]    # don't forget to setup SSLProxy* as well

Ssl – Apache: disable SSL for images, CSS and JS files

I wouldn't recommend doing so since every client will receive a warning about the mixed ssl/non ssl content. But you asked:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !(\.js|\.css)$ [NC]
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Update

As @lekensteyn pointed out correctly, this is a not to underestimate waste of resources. Rewriting is not really performing well in that situation. Also the RewriteConditions have to be matched for each and every request to the files.

You will also need more open TCP Ports, which again produces overhead. And even if we don't go into detail that much there will be a significant overhead for having two protocols doing ones' job.

Best Answer

Related Solutions

Ssl – Apache ProxyPass with SSL

Ssl – Apache: disable SSL for images, CSS and JS files

Update

Related Topic