Skip to content

Instantly share code, notes, and snippets.

@subaddiction
Created May 21, 2015 12:46
Show Gist options
  • Save subaddiction/d618d5f7f23ba0444f95 to your computer and use it in GitHub Desktop.
Save subaddiction/d618d5f7f23ba0444f95 to your computer and use it in GitHub Desktop.
LOGJAM mitigation for Apache 2.2
# This mod_ssl configuration mitigates the LOGJAM attack on apache versions
# in which the "SSLOpenSSLConfCmd DHParameters" directive was not yet implemented. (< 2.4)
# This configuration mitigates the attack avoiding the use of DHE ciphers
# Test here: https://weakdh.org/sysadmin.html
<IfModule mod_ssl.c>
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
</IfModule>
@gaia
Copy link

gaia commented Jun 27, 2015

which browsers would not be compatible with this CipherSuite?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment