SSL Support. Debian 7.7 doesn't support ECDHE?

It would appear that Debian 7.7 doesn't support ECDHE. Best I can get on a scan from SSL Labs is a B because my server is still using RC4 even though I have turned it off in SSLCipherSuites?

Just curious if anyone has looked into this before.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLCompression off

This server accepts the RC4 cipher, which is weak. Grade capped to B.


TLS 1.2 Yes

TLS 1.1 Yes

TLS 1.0 Yes

SSL 3 No

SSL 2 No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)

TLSECDHERSAWITHAES256GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128

TLSECDHERSAWITHAES256CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128


TLSECDHERSAWITHAES256CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128


2 Replies

I believe this is an Apache thing, rather than a Debian thing. You can confirm by checking what your OpenSSL provides, but last I heard it was Apache's version provided on Debian that didn't handle ECDHE.

  • Les

I have since confirmed that it is not the Debian server. OpenSSL has the correct ciphers.


The issue is with the Apache package that I am using.



Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct