I think I figured it out. I think I just had to scroll down a bit in Qualy's SSL Lab. I see a list of browsers and with TLSv1.0 and TLSv1.1 disabled, I now see: Server sent fatal alert: protocol_version
I believe they're the ones that don't support the protocols that I've disabled. I think I'll try with TLSv1.0 disabled and maybe TLSv1.1 and TLSv1.2 enabled. That way I can be PCI compliant. Now I have to figure out what this SNI is and whether I want it enabled or not. Thanks for all the help!! On Sat, Jul 16, 2016 at 6:06 PM, Spork Schivago <sporkschiv...@gmail.com> wrote: > I made the required changes but don't get the A+ rating, still A. > Forward Secrecy is enabled, which is good. I don't actually see scores > for the bar graph but I do see certain ones don't go to the 100%. One was > the Protocol Support. However, if I disable TLSv1 and TLSv1.1, then > Protocol Support goes to 100%. > > I'm wondering what clients wouldn't be able to connect if I disable > TLSv1.0 and TLSv1.1. I'd imagine if a client supports TLSv1.1, it > probably supports TLSv1.2. Is there a list or any website that can test > my website to see what browsers / OS's won't be able to connect? I'm okay > with dropping TLSv1.0 and TLSv1.1 support if it means people using XP won't > be able to connect but 99% of the internet users out there will be able. > But if dropping support for TLSv1.0 and TLSv1.1 means only 10% of the > users will be able to connect, I'd like to not drop it. Any suggestions > from anyone? > > Thanks! > > On Sat, Jul 16, 2016 at 3:59 PM, Spork Schivago <sporkschiv...@gmail.com> > wrote: > >> Wow, thank you Dr. James Smith! I am going to try your cipher list and >> see if I can get the A+ rating. That's exactly what I'm after. Are >> there any other drawbacks besides losing support for Java 6 and IE 6 >> clients? I originally started writing my website to be IE 6 compatible >> but after learning a good bit, I've decided that was a horrible idea. >> Even if users are still using XP, I believe they can at least install IE 8, >> however, people who are still running Windows XP should highly consider >> upgrading if they're getting on the internet, I'd think. >> >> Thank you!!! >> >> Ken >> >> On Sat, Jul 16, 2016 at 2:44 AM, Dr James Smith <j...@sanger.ac.uk> wrote: >> >>> I use: >>> >>> SSLProtocol all -SSLv2 -SSLv3 >>> SSLHonorCipherOrder on >>> SSLCipherSuite >>> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS >>> >>> as the setting for ciphers - this gets a A+ rating on the qualys SSL >>> labs scoring (although Java 6 + IE 6 clients don't work but that is the >>> compromise you need to take) >>> >>> James >>> >>> >>> On 15/07/2016 22:49, Spork Schivago wrote: >>> >>>> Hello, >>>> >>>> I think I figured it out. I removed the DES-CBC3-SHA line from the SSL >>>> Cipher Suite list and now this is the output from nmap: >>>> >>>> | Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's >>>> Encrypt/countryName=US >>>> | Public Key type: rsa >>>> | Public Key bits: 2048 >>>> | Signature Algorithm: sha256WithRSAEncryption >>>> | Not valid before: 2016-07-13T03:49:00 >>>> | Not valid after: 2016-10-11T03:49:00 >>>> | MD5: e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee >>>> |_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6 >>>> | ssl-enum-ciphers: >>>> | TLSv1.0: >>>> | ciphers: >>>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A >>>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >>>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >>>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A >>>> | compressors: >>>> | NULL >>>> | cipher preference: client >>>> | TLSv1.1: >>>> | ciphers: >>>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A >>>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >>>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >>>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A >>>> | compressors: >>>> | NULL >>>> | cipher preference: client >>>> | TLSv1.2: >>>> | ciphers: >>>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A >>>> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A >>>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >>>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >>>> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >>>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >>>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A >>>> | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A >>>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >>>> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >>>> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >>>> | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A >>>> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A >>>> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A >>>> | compressors: >>>> | NULL >>>> | cipher preference: client >>>> |_ least strength: A >>>> >>>> Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds >>>> >>>> >>>> With the least strength being A, that's exactly what I want, right? >>>> That would mean the ciphers are very strong ones? I'm still trying to >>>> learn all of this and now I gotta figure out how to enable "Perfect" >>>> Forward Secrecy. Thanks! >>>> >>> >>> >>> >>> -- >>> The Wellcome Trust Sanger Institute is operated by Genome Research >>> Limited, a charity registered in England with number 1021457 and a company >>> registered in England with number 2742969, whose registered office is 215 >>> Euston Road, London, NW1 2BE. >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>> For additional commands, e-mail: users-h...@httpd.apache.org >>> >>> >> >
