View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions SSL Support. Debian 7.7 doesn't support ECDHE?
Log in to Ask a Question

SSL Support. Debian 7.7 doesn't support ECDHE?

development

It would appear that Debian 7.7 doesn't support ECDHE. Best I can get on a scan from SSL Labs is a B because my server is still using RC4 even though I have turned it off in SSLCipherSuites?

Just curious if anyone has looked into this before.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLCompression off

This server accepts the RC4 cipher, which is weak. Grade capped to B.

Protocols

TLS 1.2 Yes

TLS 1.1 Yes

TLS 1.0 Yes

SSL 3 No

SSL 2 No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)

TLSECDHERSAWITHAES256GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128

TLSECDHERSAWITHAES256CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128

TLSECDHERSAWITHRC4128SHA (0xc011) WEAK 128

TLSECDHERSAWITHAES256CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256

TLSECDHERSAWITHAES128CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128

TLSRSAWITHRC4128_SHA (0x5) WEAK 128

2 Replies

I believe this is an Apache thing, rather than a Debian thing. You can confirm by checking what your OpenSSL provides, but last I heard it was Apache's version provided on Debian that didn't handle ECDHE.

  • Les

I have since confirmed that it is not the Debian server. OpenSSL has the correct ciphers.

openssl ciphers -v 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'

The issue is with the Apache package that I am using.

Thanks!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct