httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smu johnson <smujohn...@gmail.com>
Subject Cipher suite used in default Apache
Date Thu, 28 Oct 2010 21:30:00 GMT
Hi,

This is my first post.  How's it going?

I managed to get OpenSSL 0.9.8g and Apache/2.2.12 working together, but I
never defined what cipher rules I want to allow.

Unfortunately, I cannot figure out a single way for apache2ctl to tell me
what ciphers apache is using.  Not what it supports, but what it is
currently allowing when clients use https://.  It sounds a bit like a user
question, but if it is not implemented, I wanted to toss the idea around
with a few devs here.

The reason is I'm worried that it's allowing 40-bit encryption, and I would
like to see actual verification from Apache whether or not my current setup
is allowing it.  Later, I will want to disable AES > 128-bits, once I get an
idea of which ciphers it's hosting.  (See
http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html for more
info)

Another problem I found (I'm not whining or cracking a whip), is that the
apache2 docs don't even mention AES in them, which makes me think that the
allowable CipherSuite stuff documented is about 10 years out of date.

Does anyone have any advice for me?  Thank you.

-- 
smu johnson <smujohnson@gmail.com>

Mime
View raw message