Cipher Configuration on Apache HTTPD

Hello Experts:

I need to configure Apache HTTPD to only take the following ciphers:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

This is what I have in my ssl.conf configuration file:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite AES128+EECDH:AES128+EDH:!3DES:!DES

I am confused on how to translate the above ciphers into the proper Apache syntax.

Apache/2.2.15
CentOS release 6.5 (Final)

OpenSSL 1.0.1e-fips 11 Feb 2013
java version "1.7.0_45"

Thanks.

willie0-360Asked: 2016-11-28

Who is Participating?

LVL 16

Phil PhillipsDirector of DevOps & Quality AssuranceCommented: 2016-11-28

Apache uses the format that OpenSSL uses. This page has a translation from the specification name to the OpenSSL equivalent: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

So, in your case, the SSLCipherSuite line would look like:

SSLCipherSuite ECDHE-RSA-AES256-SHA:AES256-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA

Open in new window

willie0-360Author Commented: 2016-11-28

That looks very promising Phil. By any chance, can you help me understand what these other expressions mean:

(0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS

(0x35)

(0x2f)

Thanks very much.

LVL 16

Phil PhillipsDirector of DevOps & Quality AssuranceCommented: 2016-11-28

ECDH refers to the encryption protocol (Elliptic curve Diffie–Hellman)
secp256r1 refers to the elliptic curve used by the cipher
FS indicates that the cipher supports Forward Secrecy

I'm not sure what (0xc014)/(0x35)/(0x2f) are, but I'm guessing it's a constant associated with the cipher.