0

I have a website and various clients(Web and Mobile) access it. I have used the following CipherSuite

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

But this CipherSuite accepts Low ciphers and SSLv2 which can lead to security issues. So i used the following CipherSuite

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLProtocol all -SSLv2

But now how can i ensure that my clients will be able to access the website. Is there some other way to maintain the security of the server?

coderslay
  • 13,960
  • 31
  • 73
  • 121

2 Answers2

2

I'm using

    SSLCipherSuite RC4-SHA:HIGH:!ADH

which is supposed to mitigate the BEAST attack.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Thats Nice. What about the accessibility of clients and What about TLS/SSL Renegotiation? Also i am using Apache 2.2 – coderslay May 20 '13 at 07:12
  • I'm not aware of any clients that don't support these suites. This is a working configuration. You didn't mention renegotiation in your question, so I didn't address it in my answer. I am also using Apache 2.2. – user207421 May 20 '13 at 07:46
0

Take the guesswork out of the configuration by using a tool such as the Mozilla SSL Configuration Generator to check which configuration you should use.

enter image description here

(as described in this answer)

Community
  • 1
  • 1
Gaia
  • 2,872
  • 1
  • 41
  • 59