0

I use apache2 on a SLES box and have configured SSL via mod_nss (because the standard mod_ssl is not able to provide TLS 1.1/1.2 due an old and not up-gradable openssl <1.0 package in SLES).

How do I enable Forward Secrecy (FS) with such a setup? The guides that are available are mostly based on mod_ssl. I tried to follow instructions at https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy and enabled the ECDHE ciphers that are mentioned there, but according to https://www.ssllabs.com/ssltest/ this did not have any effect. I especially miss an analog to SSLHonorCipherOrder in mod_nss.

Is there a mod_nss specific guide anywhere, or is anyone who managed to set this up willing to share the config?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
VFrontDe
  • 1,478
  • 8
  • 11
  • Might be time to upgrade the OS. – Michael Hampton Jan 12 '14 at 17:10
  • Well, I would need to *change* the OS, because even the current SLES 11 SP3 does only include openssh 0.98. It's an Enterprise distribution and they have difficulties certifying all apps with a newer openssl version. – VFrontDe Jan 16 '14 at 13:46
  • In that case, it might be better to finally separate the web server from the LOB apps. – Michael Hampton Jan 16 '14 at 16:36
  • Apache pre 2.4.x doesn't support ECDHE at all - just the DHE-ciphers. If you want modern ciphersuits compile openssl from source and compile/install a software that is capable of using those ciphers (eg. nginx). – r_3 Dec 01 '14 at 11:12

0 Answers0