httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hollie Hollis" <Hollie_Hol...@DRGnetwork.com>
Subject RE: [users@httpd] SSLCipherSuite not disabling export ciphers?
Date Thu, 04 Dec 2008 14:14:20 GMT
We have a few different renditions of Apache installed, a Red Hat rpm
version and a manually compiled version, and here's how ours are listed:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Thus far this set-up has passed PCI compliance scanning.

-----Original Message-----
From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com] 
Sent: Thursday, December 04, 2008 2:40 AM
To: users@httpd.apache.org
Subject: [users@httpd] SSLCipherSuite not disabling export ciphers?

Can someone tell me if the SSLCipherSuite directive has
any known issues with not fully adhering to what it is
given?  I've been trying to make a server pci compliant
by disabling all weak SSL ciphers and whatever I try is
not disabling the export grade ciphers.  I'm using:

SSLCipherSuite HIGH:MEDIUM

yet even after doing that, these six continue to work fine
when I test them:

EDH-RSA-DES-CBC-SHA  	56 bit
DES-CBC-SHA 	56 bit
EXP-EDH-RSA-DES-CBC-SHA 	40 bit
EXP-DES-CBC-SHA 	40 bit
EXP-RC2-CBC-MD5 	40 bit
EXP-RC4-MD5  40 bit

I've altered my directive to have !EXP and even to have
each of those six ciphers above explicitly excluded yet
they remain enabled.

Thanks,

David

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message