Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 15629 invoked from network); 29 Oct 2010 05:53:59 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 Oct 2010 05:53:59 -0000 Received: (qmail 60324 invoked by uid 500); 29 Oct 2010 05:53:58 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 60100 invoked by uid 500); 29 Oct 2010 05:53:57 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 60082 invoked by uid 99); 29 Oct 2010 05:53:57 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Oct 2010 05:53:57 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [64.202.165.182] (HELO smtpauth02.prod.mesa1.secureserver.net) (64.202.165.182) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 29 Oct 2010 05:53:49 +0000 Received: (qmail 17855 invoked from network); 29 Oct 2010 05:53:27 -0000 Received: from unknown (76.252.112.72) by smtpauth02.prod.mesa1.secureserver.net (64.202.165.182) with ESMTP; 29 Oct 2010 05:53:27 -0000 Message-ID: <4CCA6142.2020400@rowe-clan.net> Date: Fri, 29 Oct 2010 00:53:06 -0500 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Cipher suite used in default Apache References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 10/28/2010 4:42 PM, Eric Covener wrote: > On Thu, Oct 28, 2010 at 5:30 PM, smu johnson wrote: > >> I managed to get OpenSSL 0.9.8g and Apache/2.2.12 working together, but I >> never defined what cipher rules I want to allow. >> Unfortunately, I cannot figure out a single way for apache2ctl to tell me >> what ciphers apache is using. > > The default SSLCipherSuite is in the manual > >> Not what it supports, but what it is >> currently allowing when clients use https://. > > The manual recommends testing your SSLCipherSuite with the openssl > command line utility. > > You could open an enhancement bugzilla entry to allow a config test or > trace method to make the openssl calls to provide this info. A debug emit at startup would be appropriate... had come across this in the context of FIPS... when giving a cipher list with non-FIPS ciphers, those are silently ignored (as are all unrecgonized cipher patterns). A debug startup message after we set the cipher suite which retrieves the effective cipher list would be most helpful to admins in troubleshooting the typos in their list.