[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Apache and TLS renegocitation
Matthias Drochner <M.Drochner%fz-juelich.de@localhost> wrote:
> You could try to build apache against pkgsrc/openssl which is 0.9.8q
> and thus supports RFC5746.
Yes, that works.
FWIW, here are the interesting options to get a good score at Qualys'
SSL labs test at https://www.ssllabs.com/ssldb/index.html (assumed
certificate is not self signed and private key is long enough)
# Enable Strict-Transport-Security (means client should only use
Header set Strict-Transport-Security "max-age=15768000"
# Enable Session redumption (SSL speedup)
# Disable vulnerable SSLv2 and alorighms < 128 bits.
SSLProtocol all -SSLv2
It seems enabling SSLv3 costs a few points. Is SSLv3 really vulnerable?
As I understand there are clients out of there that do not support
TLSv1, therefore disabling SSLv3 is a security vs compatibility tradeof.
Anyone is knowledgable about that?
Main Index |
Thread Index |