Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
LOGJAM mitigation for Apache 2.2
# This mod_ssl configuration mitigates the LOGJAM attack on apache versions
# in which the "SSLOpenSSLConfCmd DHParameters" directive was not yet implemented. (< 2.4)
# This configuration mitigates the attack avoiding the use of DHE ciphers
# Test here: https://weakdh.org/sysadmin.html
<IfModule mod_ssl.c>
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
</IfModule>

gaia commented Jun 27, 2015

which browsers would not be compatible with this CipherSuite?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment