httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Mayer <mymailli...@gmx.at>
Subject [users@httpd] SSLCipherSuite and problems with Firefox, Mozilla
Date Thu, 11 Jan 2007 10:20:40 GMT
Hi All,

I've been trying to configure an apache server with some SSL restrictions, in 
particular to disallow weak encryprion methods.  I've follwed the 
instructions on the apache site for this, 
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html and also looked at the 
O'Reilly book Apache Secuity, pages 90-91.  

The configuration I have is:
        SSLEngine on
        SSLCertificateFile <cert file location>
        SSLCertificateKeyFile <key file location>
        SSLCACertificateFile <CA cert file location>
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        SSLProtocol All -SSLv2
#       SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
#       SSLCipherSuite ALL:!EXP:!NULL:!ADH:+HIGH:+MEDIUM:!LOW
#       SSLCipherSuite ALL
#       SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
        SSLProxyEngine on

All the lines commented out caused Firefox, Mozilla, and Opera to fail to open 
a https session.  IE and Konqueror worked without problems.  With the first 
SSLCipherSuite line active, Konqueror used the RC4-MD5, SSLv3 Cipher, IE I 
couldn't find out.  When I ran the server without the SSLCipherSuite 
directive and connected with Firefox, it used the AES 128 bit encryption, 
which as I understand should have been allowed when the SSLCipherSuite was 
active.  Firefox also failed when I used the SSLCipherSuite ALL directive, 
however again IE and Konqueror worked.

I'm quite confied as to what is happening here and would like to know if 
anyone has any suggestions.

Markus

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message