Apache SSL Cipher Suites: Perfect Forward Secrecy

I was interested to tune my https sites with Apache to support only cipher suites that use the ephemeral Diffie-Hellman key exchange = perfect forward secrecy. But after searching a while through the Internet, only SSLCipherSuite with a few concrete algorithms were presented, while I wanted to use a more generic option such as known from “!MD5”. Here it is:

For a basic understanding, please read those articles: At a Glance – Perfect Forward Secrecy (PFS), Apache documentation SSLCipherSuite Directive, Mozilla Wiki Security/Server Side TLS.

Security (not backward compatibility)

I wanted to use cipher suites with only ephemeral Diffie-Hellman key exchange. (Note that the DH exchange without ephemeral does NOT provide perfect forward secrecy!) Furthermore, I only wanted to use strong ciphers, i.e., AES, and only strong hash algorithms, i.e., not MD5. I was not interested in supporting every old Internet Explorer, and so on. I focused merely on security.

–> This is the Cipher Suite I am using for all my Apache servers:

That is:

  • All suites under the HIGH classification
  • But without the key exchange algorithms of RSA, DH with RSA key, DH with DSA key, and Secure Remote Password (refer to SSLCipherSuite Directive). –> Only ephemeral Diffie-Hellman!
  • No NULL authentication
  • No 3DES
  • No MD5

(Additional, I am always disabling the SSLv3 protocol on all installations:
SSLProtocol all -SSLv3 .)

List of Cipher Suites

OpenSSL can list the selected cipher suites (-v option). Here is my list:

 

Handshake Simulation

And as always, I am using the SSL Server Test from Qualys SSL Labs at https://www.ssllabs.com/ssltest/. With my presented Cipher Suites, this looks like the following (20. October 2014):

2014-10-20 12_20_56-Qualys SSL Labs - Projects _ SSL Server Test

That is: Some old browsers are not supported. But I don’t care since I am not earning money with my servers. I was merely interested in the green “FS” results. ;)

Leave a Reply

Your email address will not be published. Required fields are marked *