I am using apache 2.2.15 and are about to make it as secure as possible.
When I do a scan of one of my websites via the Qualys SSL Test.
https://www.ssllabs.com/ssltest/analyze.html
It lists me the following cipher suits:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
I somehow want to get rid of the thid line with _SHA
, because this should be covered by the above line (2nd) with _SHA384
.
I have the following vhost configuration:
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES256GCM:AES256+EECDH
How should I change SSLCipherSuite
to get rid of the last _SHA
line?
Best Answer
Don't bother.
See Why is HMAC-SHA1 still considered secure?
Don't confuse the use of SHA1 as a certificate-signing algorithm (which is insecure) with the use of SHA1 in a cipher suite's HMAC.