View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions SSL Support. Debian 7.7 doesn't support ECDHE?
Log in to Ask a Question

SSL Support. Debian 7.7 doesn't support ECDHE?

development

It would appear that Debian 7.7 doesn't support ECDHE. Best I can get on a scan from SSL Labs is a B because my server is still using RC4 even though I have turned it off in SSLCipherSuites?

Just curious if anyone has looked into this before.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLCompression off

This server accepts the RC4 cipher, which is weak. Grade capped to B.

Protocols

TLS 1.2 Yes

TLS 1.1 Yes

TLS 1.0 Yes

SSL 3 No

SSL 2 No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)

TLSECDHERSAWITHAES256GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128

TLSECDHERSAWITHAES256CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128

TLSECDHERSAWITHRC4128SHA (0xc011) WEAK 128

TLSECDHERSAWITHAES256CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128

TLSRSAWITHRC4128_SHA (0x5) WEAK 128

2 Replies

I believe this is an Apache thing, rather than a Debian thing. You can confirm by checking what your OpenSSL provides, but last I heard it was Apache's version provided on Debian that didn't handle ECDHE.

  • Les

I have since confirmed that it is not the Debian server. OpenSSL has the correct ciphers.

openssl ciphers -v 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'

The issue is with the Apache package that I am using.

Thanks!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct