DigitalOcean

Report this

What is the reason for this report?
Question

Changing SSLCipherSuite on Wordpress Droplet

Posted on April 27, 2017
Apache
DigitalOcean 1-Click Apps Marketplace
Ubuntu
Jubal

By Jubal

I’ve got a one-click app of wordpress running on Ubntu 14.04.1, I’ve upgraded and no matter what I change in the Apache config (with subsequent restart of Apache, or even VM) the cipher suite used never changes when I evaluate the HTTPS connection details from a client.

I greped to find all the instances of SSLCipherSuite in all of/etc/apache2 and the only uncommented specification of what cipher suite to use is my own: SSLCipherSuite AES256+EECDH:AES256+EDH:HIGH

^ Note both defined are 256 bit bulk ciphers, yet no matter if I restart apache or the VM Calomel SSL validation on Firefox

What gives?



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Jubal
Jubal
April 27, 2017

I meant to add that the bulk cipher my client is using to connect to the site is 128 bit AES

0
Jonathan Tittle
Jonathan Tittle
April 27, 2017

@Jubal

You may want to extend the configuration by adding:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

… above the SSLCipherSuite directive. What you’d end up with is:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite AES256+EECDH:AES256+EDH:HIGH

That being said, I would recommend using what’s provided by https://cipherli.st:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off 
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" 
# Requires Apache >= 2.4.11
SSLSessionTickets Off

It’s important to keep in mind, the ciphers that you list in SSLCipherSuite will only be used when they are supported. If the connecting client does not support them, it’ll cause an error.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.