httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Odd - SSLCipherSuite
Date Fri, 16 May 2014 08:27:50 GMT

Op 14 mei 2014, om 19:10 heeft Plüm, Rüdiger, Vodafone Group <ruediger.pluem@vodafone.com>
het volgende geschreven:

> Which Apache version do you use?

Below was with:

	Apache/2.4.9 
	OpenSSL 1.0.1e-freebsd

but I reverted to that from a patched/hacked build from HEAD while investigating the issue.
Does this ring a bell?

Dw.


> Von: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org] 
> Gesendet: Mittwoch, 14. Mai 2014 11:23
> An: dev@httpd.apache.org
> Betreff: Odd - SSLCipherSuite
>  
> Now I must be getting rusty - we have in the config file
> 
>           SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA
>           SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3
> 
> with the first resolving nicely with
> 
>           openssl ciphers -ALL:ECDHE-RSA-AES256-SHA
> 
> to just
> 
>           ECDHE-RSA-AES256-SHA
> 
> So my assumption is that this server will insist on talking above - and =
> nothing else.
> 
> And on the wire - if I observer the Server Hello I see:
> 
>           Secure Sockets Layer
>                       TLSv1.2 Record Layer: Handshake Protocol: Server Hello
>                       ...
>                       Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =
> (0xc030)
> 
> which is sort of what i expect. 
> 
> However when I throw 
> 
>           https://www.ssllabs.com/ssltest/analyze.html
> 
> their analyzer at it - it seems to be quite able to convince the server =
> to say hello=92s with
> 
>               SSLv3 Record Layer: Handshake Protocol: Server Hello
>           Content Type: Handshake (22)
>                   Version: SSL 3.0 (0x0300)
>                       ...
>                       Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
> 
> or
> 
>    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
>           ...
>            Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
>        
> And so on*. I must be missing something very obvious here! Am I  misunderstanding SSLCipherSuite
or is there something specific about 1.2 which makes certain things mandatory and not under
control of SSLCipherSuite? 
> 
> Dw.
> 
> 
> 
> 
> * besides             Cipher Suite: =
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) 
> Server Hello=92s with 
> 
>             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
>            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
>            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
>            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
>            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
>            Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
>            Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
>            Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
>            Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
>            Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
>            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
>            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
>            Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
>            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
>            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
>            Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
>            Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
>            Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
>            Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
>            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
>            Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
>            Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)


Mime
View raw message