1Answer
  • 12
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Forward secrecy support?

Is it possible to amend the SSL ciphers to support forward secrecy on my CentOS server running Apache 2.4? I currently have the following cipher setup:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

This gives me an -A rating using the SSL Labs testing tool, but I receive the following warning:

This server does not support Forward Secrecy with the reference browsers. Grade will be capped to B from March 2018.

This warning looks to be originating for IE6/XP. Is there any possible way to pass this rule with my server configuration? It probably isn't that important, but if there's an easy way to support IE6/XP devices easily - I may as well!

It has nothing to do with IE6/XP. If you are still allowing SSLv3 or TLSv1.0 which is required to support IE6/XP, you are failing most test suites (including PCI compliance). Qualys has a page dedicated to their SSL Labs scoring system.

Regarding your ciphersuite string, adding !kRSA should do it. RSA key exchange does not provide forward secrecy.

I usually use the following.

SSLCipherSuite HIGH:!eNULL:!aNULL:!kRSA:!SRP:!PSK:!DSS:@STRENGTH
SSLHonorCipherOrder on

Openssl documents the cipher parameters string.

  • 3
Reply Report

Trending Tags