SSLCipherSuite defines “the list” of ciphers the server will accept/negotiate when establishing TLS connections - separated by colons (":").
The point of the command is to explicitly control which ciphers to allow and even which to deny.
Much like: SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
Explicitly defines which protocols to allow ("+") and which to deny ("-").
If you understand one, then you should understand the other - they go “hand-in-hand”.
If you want to understand more clearly what exactly any of them do:
you can use OpenSSL to show you what it considers to be in each “group”/“set” with this command:
for instance (depending on the version of OpenSSL…)
openssl ciphers 'EECDH+AESGCM'
would return something like this:
So in a sense the two are equal.
You could type:
and your web server would react in exactly the same way to those two instructions.
You can also explicitly deny ciphers/“sets” - by using the “!” (bang symbol - here used as NOT)
Should shorten the list above by removing any ciphers using AES128.
Which is the previous list but now without any AES128 ciphers.
The negation can come anywhere in the string (at the front, in the middle, or at the end, or spread throughout) it really doesn’t matter. A negation will negate through the entire result.
Enabling however will go in order left-to-right.
So, in your config, these “
EECDH+AESGCM” will come before these “
EDH+AESGCM” (whatever they may resolve to).
With those basic instructions and some common understanding you should be able to at least expand any of the SSLCipherSuite settings - be them in “sets” or by entire lines…
openssl ciphers 'SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
Now even through the
SSLCipherSuite is resolved in the order written and separated by colons, that actual order will only be applied/maintained if the additional command
SSLHonorCipherOrder is set to
on (which is not the default)