[plentz]

Thanks for the heads up ck2. I've updated the config to add ocsp stapling. The certificate really has a extra(unnecessary) root certificate, I will solve this later today.

The RC4 part is based on this article https://community.qualys.com/blogs/securitylabs/2013/08/05/c.... But I will do some more research and update the post.

[ck2]

Ivan has already adjusted his views on RC4 as you can read here:

https://community.qualys.com/blogs/securitylabs/2013/09/17/u...

And the qualys SSL analyzer no longer penalizes for not mitigating Beast, they just warn about it in orange but there is no longer a penalty as of a couple weeks ago.

[plentz]

Thanks again ck2. I will read it today and update the post to mitigate BEAST as well. Better then that, do you have a better setup for chipers?

[ck2]

The best thing I did with ciphers is stop just using everyone's "magic list" without understanding what they are and what they mean.

To start understanding the magic list of ciphers, enter the list into openssl like this and watch what it produces:

  openssl ciphers -V 'RC4'
  openssl ciphers -V 'EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW'  

(etc. etc.)

take away some of the adds/exclusions in the list and watch what they add/remove. Plug in other people's lists and see what they do.

Then learn what ECDHE vs DHE means (and why DHE is slower)

Then learn about RSA vs DSA keys, EC ciphers etc.

Then play around with this tool that shows you what ciphers different browser support (try it with IE8 vs Firefox vs Chrome, etc) https://cc.dcsec.uni-hannover.de/

Then read about AES hardware acceleration in openssl on most modern processors (not all but many). http://zombe.es/post/4078724716/openssl-cipher-selection

and eventually, a few days later, you'll start to understand what is best :-)

It is always much more than a few lines in a configuration file if you really want to understand.