httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: Cipher suite used in default Apache
Date Thu, 28 Oct 2010 21:53:29 GMT
  On October 28, 2010 17:30 , smu johnson <smujohnson@gmail.com>  wrote:
> Unfortunately, I cannot figure out a single way for apache2ctl to tell 
> me what ciphers apache is using.  Not what it supports, but what it is 
> currently allowing when clients use https://.

You can configure httpd to log which ciphers that are actually being 
used for each request, see:  
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats


> The reason is I'm worried that it's allowing 40-bit encryption, and I 
> would like to see actual verification from Apache whether or not my 
> current setup is allowing it.

To see if 40-bit encryption is permitted, run the following from the 
command line:

openssl s_client -connect your-web-server.example.com:443 -cipher LOW

If you get a line that looks like

140735078042748:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 
alert handshake failure:s23_clnt.c:658:

then 40-bit encryption is not supported and you are safe.  If, however, 
you get an SSL-Session section in the output, then the Cipher line will 
indicate which cipher was actually negotiated and used in this test.

More information and additional tests and examples are available at

http://idlethreat.com/site/index.php/archives/181
http://stephenventer.blogspot.com/2006/07/openssl-cipher-strength.html

--
   Mark Montague
   mark@catseye.org


Mime
View raw message