httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r966055 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
Date Wed, 21 Jul 2010 12:45:59 GMT
On 21.07.2010 12:59, Igor Galić wrote:
>
>
> +SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
> Reminds me a bit of: http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/
>
> Can't we simplify that to:
>
> SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5
>
> Since it's basically the same:
>
> i.galic@panic ~/Projects/asf/httpd (svn)-[trunk:966169] % openssl ciphers 'RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5'|md5sum
-
> c1977a5b8a9cea42329be929398c6941  -
> i.galic@panic ~/Projects/asf/httpd (svn)-[trunk:966169] % openssl ciphers 'RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL'
| md5sum -
> c1977a5b8a9cea42329be929398c6941  -
>
> OpenSSL experts might want to disagree with me at this point.

Not an openssl expert, but: depending on the build options and openssl 
version, e.g. IDEA-CBC-SHA is part of the longer cipher suite, but not 
part of yours (checked for 0.9.8o).

My feeling is, that the longer cipher suite on the one hands could allow 
more ciphers (ALL instead of HIGH) and adjusts that by being more 
explicit, which ciphers to disable. Seeems more understandable to me, 
especialy the "what's excluded" part.

More opinions welcome.

Regards,

Rainer

Mime
View raw message