Obsolete Cipher Suites
You may see:
“Your connection to example.com is encrypted with obsolete
cryptography.”This means that the connection to the current website is using an
outdated cipher suite (which Chrome still allows if the server insists
on it).In order for the message to indicate “modern cryptography”, the
connection should use forward secrecy and either AES-GCM or
CHACHA20_POLY1305. Other cipher suites are known to have weaknesses.
Most servers will wish to negotiate
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
All this boils down to the following lines in your configuration, that determine which cipher suites are supported and prioritized for connections with clients.
SSLProtocol
SSLCipherSuite
SSLHonorCipherOrder
Per https://certsimple.com/blog/chrome-outdated-cryptography and https://mozilla.github.io/server-side-tls/ssl-config-generator/, you may want to give this a try:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
See also:
[1] https://mozilla.github.io/server-side-tls/ssl-config-generator/ – Suggests security configurations
[2] https://www.ssllabs.com/ssltest/index.html — Test your server’s SSL configuration