It would appear that Debian 7.7 doesn't support ECDHE. Best I can get on a scan from SSL Labs is a B because my server is still using RC4 even though I have turned it off in SSLCipherSuites?

Just curious if anyone has looked into this before.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLCompression off

This server accepts the RC4 cipher, which is weak. Grade capped to B.


Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128

_________________
Kevin a.k.a. Dweeber

I believe this is an Apache thing, rather than a Debian thing. You can confirm by checking what your OpenSSL provides, but last I heard it was Apache's version provided on Debian that didn't handle ECDHE.

- Les

I have since confirmed that it is not the Debian server. OpenSSL has the correct ciphers.

openssl ciphers -v 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'

The issue is with the Apache package that I am using.


Thanks!

_________________
Kevin a.k.a. Dweeber