Forum

I'd like to be able to disable selected cipher suites for SSL in order to force usage of a 256bit+ cipher suite. Apache allows you to do this using the SSLCipherSuite directive; I could find no corollary in Hiawatha. This is also one of the only things keeping me from an A+ SSL grade from Qualsys...

That's not what you need to get an A+. Set the Strict-Transport-Security header with a time-out of at least half a year.

Also, I advice you not to mess with the TLS settings, unless you know what you are doing. 128bit is also very strong and disabling it could cause connection errors with certain browsers. I've done a lot of tweaking and testing with the current settings. They are secure.

Thanks, Hugo. The only TLS setting I have set is MinTLSversion = 1.2. I know that this *could* cause some issues with older browsers, but I'm OK with that. I will update the Strict-Transport-Security header settings; I'm guessing that will work!

Browsers will probably fine. It's more the search engine crawlers and other scripts that probably won't be able to connect.

Thanks, Hugo! Explicitly setting a long Strict-Transport-Security max-age of 31536000 (1 year) worked.

I was misled by this "cipher strength" part of the SSL Server Rating Guide linked by Qualsys, just for context:

https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#cipher-strength

Just by setting a long Strict-Transport-Security max-age meant that I could remove other tweaks I had made in my hiawatha,conf, namely these two lines can be removed without lowering the SSL report grade:

DHSize = 4096
MinTLSversion = 1.2

I made those tweaks following instructions found in various places across the internet for improving your SSL security settings. Apparently, these were rubbish!

That's not quite true, they will certainly increase your security (at a possible cost of incompatibility). Your goal was to get an A+ on the test though. Which is not exactly the same thing.