8
8
I have an Apache 2.4.7 web server running multiple domain names using a single IP address. As a result of the Poodle vulnerability, I added the following SSLCipherSuite
line.
It worked fine for a while, but users are reporting problems with accessing the page in Firefox. Asking the users to switch browsers is unfortunately not an option, so I need to change the settings to support TLS 1.0, 1.1 and 1.2.
The current settings are:
<VirtualHost ZYX.XYZ.org:443>
DocumentRoot /var/www/ZYX.XYZ/www
ServerName ZYX.XYZ.org
<Directory "/var/www/ZYX.XYZ/">
allow from all
Options -Indexes
</Directory>
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH
SSLCertificateFile /etc/apache2/ssl/XYZ.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/XYZ.org.key
SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
</VirtualHost>
If we look at Qualys' test, we see that the server only supports TLS 1.2.
What would the appropriate settings be for enabling TLS 1.0, TLS 1.1 and TLS 1.2, so the site can support older browsers, and also maintain a decent level of security?