Perfect Forward Secrecy (PFS)

From snippet wiki
Jump to navigation Jump to search

Choosing the right encryption isn't that easy.

Using a current debian 7.6 wheezy the best configuration for an apache 2.2 is: 

SSLEngine      On
SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH:EDH:HIGH:+RSA:+SHA:MEDIUM:+RC4:RC4:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'
SSLHonorCipherOrder On
SSLProtocol    All -SSLv2 -SSLv3

LogFormat      "%h %l %u %t \"%r\" %>s %b %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{Referer}i\" \"%{User-agent}i\"" sslcombined

The log format definition can be use for your access.log, it store the encryption used in the communication.

(The lines are complete if you cut&paste them. It's just to long to be displayed here.)

Retrieved from "http://snippet.wiki/w/index.php?title=Perfect_Forward_Secrecy_(PFS)&oldid=512"