When I load a website on an apache2 with ssl and look at the settings of the certificate in the browser, it is always a 128-bit key length, only want 256-bit and above to be allowed.
I have that in virtualhost and try different:
<VirtualHost *:443>
SSLEngine on
# Allow only TLS 1.3
SSLOpenSSLConfCmd Protocol "-ALL,+TLSv1.3"
##
# TRY THIS ONE BY ONE NOT ALL AT ONCE !
SSLCipherSuite HIGH:!aNULL:!eNULL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384-SHA256
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-PO
SSLCipherSuite HIGH:kRSA
...
...
...
</VirtualHost>
I use firefox and no matter what i do it looks that the browser overwrite the server settings everytime.
Only if i set security.tls13.aes_128_gcm_sha256 to false in about:config it works with 256-Bit
What am I doing wrong or have I not understood something. I know that the browser decides what should be used, but if it is not offered it should not work.
Also found the post and tried it out, but still not working:
How do I limit SSL/TLS connections to at least 128-bit encryption?
How can I disable 128 bit ciphers in apache?
Every time i restart the apache2 and want to load the page i delete all data and the cache in the browser
I also set the LogLevel debug and save ssl message ErrorLog /var/log/apache2/ssl_error.log to file but I can't get any smarter than that.
I want to disable this from apache2 and only allow what I specify and not through the browser
