• 12
name Punditsdkoslkdosdkoskdo

Forward secrecy support?

Is it possible to amend the SSL ciphers to support forward secrecy on my CentOS server running Apache 2.4? I currently have the following cipher setup:


This gives me an -A rating using the SSL Labs testing tool, but I receive the following warning:

This server does not support Forward Secrecy with the reference browsers. Grade will be capped to B from March 2018.

This warning looks to be originating for IE6/XP. Is there any possible way to pass this rule with my server configuration? It probably isn't that important, but if there's an easy way to support IE6/XP devices easily - I may as well!

It has nothing to do with IE6/XP. If you are still allowing SSLv3 or TLSv1.0 which is required to support IE6/XP, you are failing most test suites (including PCI compliance). Qualys has a page dedicated to their SSL Labs scoring system.

Regarding your ciphersuite string, adding !kRSA should do it. RSA key exchange does not provide forward secrecy.

I usually use the following.

SSLHonorCipherOrder on

Openssl documents the cipher parameters string.

  • 3
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags