I've recently moved my website to a new server, going from an older version of WHM / cPanel to the current version. I've discovered that the Apache Cipher suite is much stricter than on the old server. On ssllabs.com, the site went from F grade to A grade. So basically, from one extreme to the other. Unfortunately, the default encryption suite has locked many users, whether they are using older machines with older browsers or video game consoles such as the PS3 and Nintendo DS.
The site is focused on video games, and I do not need to have state-of-the-art figures, while excluding everything else. I'm looking for suggestions on how to modify the cipher suite to add older but still reasonably secure ciphers to the mix.
Here is the default cipher suite in WHM / cPanel currently:
ECDHA-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: ECDSA-AES128-GCM-SHA256-ECDHE: RSA-AES128-GCM-SHA256 ECDHE: ECDSA-AES256 ECDHE AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES126-SHA384: ECDHE-RSA-ASE, ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA: ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA: ECD-ECDSA-DES-CBC3-SHA: ECDHE-RSA-DES-CBC3-SHA: EDH-RSA-DES-CBC3-SHA: AES128-GCM-SHA256: AES256-GCM-SHA384: AES128-SHA256: AES256-SHA256: AES128-SHA: AES256-SHAES-CBC3-SHA :! DSS
One of my users (who is currently blocked on the site) would like me to add EDH to the mix. Here are two suites that he suggested:
SSLCipherSuite "-ALL EECDH + ECDSA + AESGCM EECDH + aRSA + AESGCM EDH + aRSA + AESGCM EECDH + ECDSA + AES EECDH + ARSA + AES EDH + ARSA + AES RSA + 3DES"
SSLCipherSuite "-ALL EECDH + ECDSA + AESGCM EECDH + AESA + AESGCM EDH + aRSA + AESGCM EECDH + ECSA + SHA384 EECDH + ECDSA + SHA256 EECDH + ARSA + SHA384 EECDH + ECDSA + SHA256 EECDH + ADSGC + EDH + aRSA"
I'm looking for advice on what is reasonable to do, and preferably add a few numbers at the end of the default string. Any idea here is greatly appreciated.