You have renewed 5 times - do you really think that is stopping you?
It only sets with ciphers should be used.
That's not correct. You can set the SSLCipherSuite multple times. Its allowed contexts are: "server config, virtual host, directory, .htaccess".
With aid of SNI you can set a SSLCipherSuite directive per <VirtualHost> block if you'd like. That won't "conflict" with each other.
"Allowed" and "actually do what you ask it" are two different things.
I speak form my personal experiences.
I speak from personal experience too. If you have multiple SSLCipherSuite directives in VirtualHost blocks, Apache will choose the cipher suites from the SSLCipherSuite directive from that VirtualHost.
Of course it will ignore "generic" SSLCipherSuite directives from outside the VirtualHost block.
@Osiris, If you have a wildcard, make four vhosts.
one for ssl
one for tlsv1
one for tlsv1.1
one for tlsv1.2
Tell me if it can do that.
That one isn't going to work due to my OpenSSL not supporting SSL any longer.
OK, what about the other three?
@rg305 Setting SSLProtocol -all TLSv1.2 and SSLProtocol -all TLSv1.3 with my other default TLS settings elsewhere it works nicely. Setting -tls1_1 or -tls1_3 on the OpenSSL s_client command line results in a failure when connecting to the Apache TLSv1.2 VirtualHost (as expected), but not with -tls1_2. Same goes for the TLSv1.3 VirtualHost, but obviously failures with -tls1_1 and -tls1_2 but not with -tls1_3.
It seems Added the "Old" Mozilla SSL Generator TLSv1 and TLSv1.1 don't play very well with my other TLS settings.SSLCipherSuite directive to those two specific VirtualHost blocks and gee, what'll you know, it works now. TLS1.0 and TLS1.1 only VirtualHost, working like a charm. Not effecting any other VirtualHosts at all.
2 Likes
have a look at this series
Exactly the same discussion
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.