I have an Apache/2.4.18 server with OpenSSL/1.0.1s. I used the
Mozilla SSL Configuration Generator
to generate the SSL config:
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSL Labs test gives these messages:
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
The server does not support Forward Secrecy with the reference browsers.
Also, in "handshake simulation" it gives the message:
Apple ATS 9 / iOS 9 R Server sent fatal alert: handshake_failure
How do I get rid of these, especially the last one so that iOS 9 users can connect without any problems?
Thanks!
Best Answer
You should get a SHA2 certificate, first of all, as Chrome requires it.
Your ssl configuration should look like this:
Optionally you could add these for extra security:
Honoring the order of the cipher suite is not mandatory.