httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1135241 - in /httpd/httpd/trunk/docs/manual: mod/mod_ssl.xml ssl/ssl_howto.xml
Date Mon, 13 Jun 2011 19:30:06 GMT
Author: sf
Date: Mon Jun 13 19:30:05 2011
New Revision: 1135241

URL: http://svn.apache.org/viewvc?rev=1135241&view=rev
Log:
AFAICS, we don't have a default cipher suite but depend on openssl's default.
Document the fact that this default depends on the openssl version.
Recommend !aNULL over !ADH, because the former also excludes !AECDH in openssl
1.0+

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1135241&r1=1135240&r2=1135241&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Jun 13 19:30:05 2011
@@ -614,7 +614,7 @@ SSLProtocol all -SSLv2
 <description>Cipher Suite available for negotiation in SSL 
 handshake</description>
 <syntax>SSLCipherSuite <em>cipher-spec</em></syntax>
-<default>SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</default>
+<default>SSLCipherSuite DEFAULT (depends on OpenSSL version)</default>
 <contextlist><context>server config</context>
 <context>virtual host</context>
 <context>directory</context>
@@ -711,9 +711,10 @@ prefixes are:</p>
 <p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
 -v</code>'' command which provides a nice way to successively create the
 correct <em>cipher-spec</em> string. The default <em>cipher-spec</em>
string
-is ``<code>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
+depends on the version of the OpenSSL libraries used. Let's suppose it is
+``<code>ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
 means the following: first, remove from consideration any ciphers that do not
-authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
+authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next,
 use ciphers using RC4 and RSA. Next include the high, medium and then the low
 security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
 end of the list.</p>

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml?rev=1135241&r1=1135240&r2=1135241&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml Mon Jun 13 19:30:05 2011
@@ -67,7 +67,7 @@ only?</title>
     <p>The following enables only the strongest ciphers:</p>
     <example><title>httpd.conf</title>
       SSLProtocol all -SSLv2<br />
-      SSLCipherSuite HIGH:!ADH:!EXP:!MD5:!NULL<br />
+      SSLCipherSuite HIGH:!aNULL:!EXP:!MD5:!NULL<br />
     </example>
 
     <p>While with the following configuration you enable two ciphers
@@ -75,7 +75,7 @@ only?</title>
 
     <example><title>httpd.conf</title>
       SSLProtocol all -SSLv2<br />
-      SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!ADH:!EXP:!MD5:!NULL<br />
+      SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!EXP:!MD5:!NULL<br />
       SSLHonorCipherOrder on
     </example>
 
@@ -96,12 +96,12 @@ URL?</title>
     This can be done as follows:</p>
     <example>
       # be liberal in general<br />
-      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
+      SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
       <br />
       &lt;Location /strong/area&gt;<br />
       # but https://hostname/strong/area/ and below<br />
       # requires strong ciphers<br />
-      SSLCipherSuite HIGH:!ADH:!EXP:!MD5:!NULL<br />
+      SSLCipherSuite HIGH:!aNULL:!EXP:!MD5:!NULL<br />
       &lt;/Location&gt;
     </example>
 </section>



Mime
View raw message