Hi Readers!
I don't get an green "A" on www.ssllabs.com!
Main reason is that I can't change the DH-Key for the running 2.2 Apache
which has an card coded
1024-DH key build in. In Apache 2.4.x I can change the key to a 2048
key.
Read: http://tinyurl.com/otw7kds

Any good ideas out there?

PS: To get an yellow B you have to modify
/etc/opt/novell/apache2/conf/vhosts.d/NAM-Service.conf


Code:
--------------------
SSLEngine on
SSLHonorCipherOrder On
# for Apache 2.4.x
# I would switch the DH Kes as follow
# SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"
#

# Supported Ciphers
# HEY there is NO LINEBREAK in this line
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES25 6-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIAES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aEC DH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLVerifyDepth 10
# supported Protocols Without SSL V2 and V3
SSLProtocol all -SSLv2 -SSLv3
# Your Snakeoil certificates .... ;-)
SSLCertificateFile /opt/novell/apache2/certs/myNewSnakeOIL_SuperSecure_most_expensive_Cert.pem
SSLCertificateChainFile /opt/novell/apache2/certs/new_SnakeOil_Chain_of_no-TRUST.pem
--------------------


--
jottschi
------------------------------------------------------------------------
jottschi's Profile: https://forums.netiq.com/member.php?userid=9712
View this thread: https://forums.netiq.com/showthread.php?t=54744