I am trying to copy the strong cipher suites from an existing website to a new website. Its almost there but some of them are not showing up in TLS 1.2 Cipher Suites.
I have these settings for my /etc/httpd/conf.d/ssl.conf file in the server of the new website. Please advise how can I make those highlighted Ciphers from the existing Website to show up in the New Website as well. I think I just have the codes wrong.
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-ARIA256-CGM-SHA384:ECDHE-RSA-ARIA128-CGM-SHA256
SSLHonorCipherOrder on
My web server is (include version): Apache 2.4.43
The operating system my web server runs on is (include version): CentOS 7
The version of my client is : certbot 1.4.0
Not the answer to your CHACHA-problem, but what’s ARIA128 / ARIA256? My OpenSSL doesn’t recognise it. Perhaps it isn’t compiled in mine, perhaps not in yours too? Seems to be supported, but just doesn’t show up on the default list of my openssl ciphers -v… Found some ARIA ciphers when I just typed openssl ciphers -v ARIA:
ECDHE-ARIA128-GCM-SHA256
ECDHE-ARIA256-GCM-SHA384
It seems OpenSSL doesn’t list the RSA part of the cipher suite when it uses RSA in stead of ECDSA?
Also, when I use your list of cipher suits in openssl ciphers -v, I’m getting the same list as SSLLabs presents on the right. So something is missing. Or incorrect.
If I run openssl ciphers -v | grep CHACHA, I found ECDHE-RSA-CHACHA20-POLY1305
So I guess the hashing parameter isn’t used with regard to CHACHA20…
This list gave me the green cipher suits (disregarding all the orange WEAK cipher suits) you wanted:
Here’s a really useful tool from Mozilla for generating recommended TLS configs in various software. Plug in your Apache and OpenSSL version, pick some other options and it spits out the suggested config.
