In my quest to have the most secure mail server on the planet I keep tinkering with my SSL settings. In my latest experiment I wanted to see if I could force 256 bit encryption. Before my experiment, in my Apache config for SSL I had the following GnuTLSPriorities set:
GnuTLSPriorities SECURE256:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:-RSAThat was pretty good, but most browsers would revert back to 128 bit cyphers for performance. I wanted to force 256 bit for security damn it!
I decided to add a few more entries under GnuTLSPriorities that removed anything less than 256 bit ciphers. I changed my config to read:
GnuTLSPriorities Secure256:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:-RSA:-AES-128-CBC:-CAMELLIA-128-CBC:-3DES-CBCWhat that does is restricts everything to TLS 1.1 or TLS 1.2 and only uses the following ciphers:
TLS_DHE_RSA_WITH_AES_256_CBC_SHAOf course not all browsers will support this configuration, but since I'm the only one using my mail server, I don't care. It is something for you to think about though.