Ssl – How to specify exact ciphers for the Apache TLS server

opensslssl

I have a web server. I configured the TLS versions I want to enable using:

sudo gedit mysitecom.conf

Inside the .conf I listed the desired versions using (as an example): SSLProtocol -TLSv1 -TLSv1.1 TLSv1.2

I want to make a test server with one or few specific ciphersuites. How to do this? Say I want one ciphersuite in a test, and two ciphersuites in the second test. What is the right way to specify exact ciphersuite e.g. DHE-RSA-AES128-SHA256 (not a family of ciphers)?

Best Answer

Using the SSLCipherSuite directive, you can enter a colon-separated cipher-spec string. While this is commonly seen containing aliases like MEDIUM or aNULL, it can include any valid OpenSSL cipher, specified like EDH-RSA-DES-CBC3-SHA.

The full list of ciphers available is determined by which version of OpenSSL you're using. You can use openssl ciphers to view the list as installed on your system.

And if you're already going down this route, you might want to leverage the expertise of Qualys' SSL and TLS Deployment Best Practices which includes both recommended ciphers and other relevant portions of the configuration.

Related Topic