Hello:
SSL labs reduces their grade if the server does not support forward secrecy. They link to this on how to configure:
https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
—snip —
Enabling forward secrecy can be done in two steps:
Configure your server to actively select the most desirable suite from the list offered by SSL clients.
Put ECDHE and DHE suites to the top of your list. (The order is important; because ECDHE suites are faster, you want to use them whenever clients supports them.)
Knowing which suites to enable and move to the top can be tricky, because not all browsers (devices) support all forward secrecy suites. At this point you may want to look for inspiration from those who are already supporting forward secrecy, for example Google.
In the nutshell, these are some of the suites you might want to enable3 and push (close) to the top:
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
—snip —
I modified httpd.conf to include these ciphers like this:
SSLCipherSuite TLS_ECDHE_RSA_WITH_RC4_128_SHA:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:
DH+AES256:ECDH+AES128:
DH+AES:ECDH+3DES:DH+3DES:
RSA+AESGCM:
RSA+AES:RSA+3DES:
!aNULL:!MD5:!DSS
restarted httpd, and no change in the forward secrecy score. The TLS_ECDHE are not even in the list of cipher suites on the ssllabs report.
CentOS Linux 6.5
Linux 2.6.32-358.0.1.el6.x86_64 on x86_64
Virtualmin version 4.08.gpl GPL
httpd Apache HTTP Server Running latest 2.2.15-29.el6.vm.1 Virtualmin
Any ideas?
Thanks,
Bill56