3

I am using the following cipher, which I keep updating today, don't worry if there is any incompletion in it. Just help me disable AES128.

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:!AES128

It is still using this:

TLS_AES_128_GCM_SHA256 (0x1301)  

For everyone wondering, after everyone's help, I have achieved this, this SSL Conf to me seems like the most secure you can get in Apache, with supported most devices, and you can achieve 100% in ssllabs.com:

SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLHonorCipherOrder On
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLUseStapling On
SSLStaplingCache "shmcb:ssl_stapling(32768)"

<Virtualhost *:443>
SSLEngine On
SSLOptions +StdEnvVars +ExportCertData
SSLCertificateFile "/path/to/trusted/ssl.crt"
SSLcertificateKeyFile "/path/to/its/ssl.key"
</Virtualhost>

Adjust the log file place to your needs. And please notify if any vulnerabilities are present :)

Info:

This configuration was only made for 4096 bit certs. You can adjust it for 2048 bit ones.

1 Answers1

4

The normal SSLCipherSuite option only sets the ciphers for TLS 1.2 and lower. TLS_AES_128_GCM_SHA256 is a TLS 1.3 cipher though and is not covert by the TLS 1.2- cipher string. To set TLS 1.3 ciphers explicitly specify the protocol, i.e.:

SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
Steffen Ullrich
  • 12,227
  • 24
  • 37