Making sure SSLv2 is disabled in Apache (and Nginx)

Edit Jan 24, 2012: Deleted all the crap from this story and just left the recommended Apache and Nginx SSL cipher suites for maximum security without SSLv2 and without BEAST vulnerability (at least according to Qualys).

Apache httpd

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
SSLHonorCipherOrder on

nginx

        ssl_protocols  SSLv3 TLSv1;
        ssl_ciphers     ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
        ssl_prefer_server_ciphers   on;

Source:

3 Replies to “Making sure SSLv2 is disabled in Apache (and Nginx)”

Pingback: Making sure SSLv2 is disabled in Apache (and Nginx) » Didit Fringe Division
clinton says:

January 23, 2012 at 10:21 pm

Why do you show ssl_protocols on the new ones and not SSLProtocol?
1. Evan Hoffman says:
  
  January 23, 2012 at 11:12 pm
  
  Fixed, and cleaned up. Removed all the “bad” ciphersuites.

Comments are closed.

%d bloggers like this:

	GG on Mac Drivers for the HooToo USB…
	Jenn on New York Rising is a Scam
	sandee mcphee on New York Rising is a Scam
	Jenn on New York Rising is a Scam
	sandee mcphee on New York Rising is a Scam

Share this:

Like this:

3 Replies to “Making sure SSLv2 is disabled in Apache (and Nginx)”