It is time to switch your HTTPS preferred cipher from RC4_128 (Apache 2.2)

By | 2013/11/19

So what was once the preferred cipher to use, is now one to be avoided. Instead of an RC4 cipher, consider using an AES-GCM varient as your go to cipher. Google and Facebook have made the switch, and now the rest of the internet is following.


Note that many of the newest fancy eliptic curve ciphers are only available on Apache 2.4, which is still not widely available in mainstream Linux deployments.


Here is an example for Apache 2.2 on Ubuntu 12.04 to use in /etc/apache2/mods-available/ssl.conf

SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5

The good news is that this is the default config for Ubuntu 12.04. So for many out there, no changes needed!

This will help to obtain an ‘A’ rating on Qualys’ SSL Labs.

ssllabs_scottlinux
For CentOS 6 and Red Hat 6 users, the defaults are also OK and lead to an AES_256_CBC cipher being used by most modern browsers.

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Rock on,