Supported SSL_CIPHERS

Overview

You want to know which SSL Ciphers the httpd-lm webserver can support or you need to know the Supported Config SSL_CIPHERS string to finish installing or updating your SSL certificate for LM.

Information

Important for ListManager 12.4.11 and later

ListManager 12.4.11 adds native TLS 1.3 support. In standard deployments, modern SSL/TLS security no longer requires an NGINX reverse proxy solely to enforce TLS 1.2 or higher.

In typical configurations, ListManager 12.4.11 can achieve an A+ SSL/TLS rating natively.

If you are using this article to tune cipher settings manually, validate the exact SSL_CIPHERS string against current ListManager 12.4.11 guidance before replacing an existing configuration.

Supported SSL Cipher Configurations

These are the supported Config SSL_CIPHERS values to configure SSL on your httpd-lm webserver. Use these examples as configuration references and validate the resulting SSL/TLS behavior in your own environment, especially on ListManager 12.4.11 and later.

A+ Rating Configuration Example

Config SSL_CIPHERS {TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA}

B+ Rating Configuration Example

B Rating — Excludes Weak Ciphers and TLS 1.0/1.1

Disables DES, 3DES, RC4, RC2, MD5, eNULL, aNULL, and TLS 1.0 and 1.1
Config SSL_CIPHERS {DEFAULT:!DES:!3DES:!RC4:!RC2:!MD5:!aNULL:!eNULL:!TLSv1}

B Rating — Excludes Weak Ciphers (Broad Compatibility)

Disables DES, 3DES, RC4, RC2, MD5, eNULL and aNULL
Config SSL_CIPHERS {DEFAULT:!DES:!3DES:!RC4:!RC2:!MD5:!aNULL:!eNULL}

Back to top

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted
Updated

Comments

Please sign in to comment