httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com>
Subject AW: Odd - SSLCipherSuite
Date Wed, 14 May 2014 17:10:37 GMT
Which Apache version do you use?

Regards

Rüdiger

Von: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org]
Gesendet: Mittwoch, 14. Mai 2014 11:23
An: dev@httpd.apache.org
Betreff: Odd - SSLCipherSuite

Now I must be getting rusty - we have in the config file

          SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA
          SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3

with the first resolving nicely with

          openssl ciphers -ALL:ECDHE-RSA-AES256-SHA

to just

          ECDHE-RSA-AES256-SHA

So my assumption is that this server will insist on talking above - and =
nothing else.

And on the wire - if I observer the Server Hello I see:

          Secure Sockets Layer
                      TLSv1.2 Record Layer: Handshake Protocol: Server Hello
                      ...
                      Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =
(0xc030)

which is sort of what i expect.

However when I throw

          https://www.ssllabs.com/ssltest/analyze.html

their analyzer at it - it seems to be quite able to convince the server =
to say hello=92s with

              SSLv3 Record Layer: Handshake Protocol: Server Hello
          Content Type: Handshake (22)
                  Version: SSL 3.0 (0x0300)
                      ...
                      Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

or

   TLSv1.2 Record Layer: Handshake Protocol: Server Hello
          ...
           Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)

And so on*. I must be missing something very obvious here! Am I  misunderstanding SSLCipherSuite
or is there something specific about 1.2 which makes certain things mandatory and not under
control of SSLCipherSuite?

Dw.




* besides             Cipher Suite: =
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Server Hello=92s with

            Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
           Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
           Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
           Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
           Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
           Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
           Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
           Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
           Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
           Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
           Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
           Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
           Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
           Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
           Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
           Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
           Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
           Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
           Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
           Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
           Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
           Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
           Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
           Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
           Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
           Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
           Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
           Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
           Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
           Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
           Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
           Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)

Mime
View raw message