Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 6780 invoked from network); 4 Dec 2008 14:17:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 4 Dec 2008 14:17:32 -0000 Received: (qmail 10354 invoked by uid 500); 4 Dec 2008 14:17:33 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 10338 invoked by uid 500); 4 Dec 2008 14:17:33 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 10326 invoked by uid 99); 4 Dec 2008 14:17:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Dec 2008 06:17:33 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Hollie_Hollis@drgnetwork.com designates 63.76.155.39 as permitted sender) Received: from [63.76.155.39] (HELO drg.drgnetwork.com) (63.76.155.39) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Dec 2008 14:16:02 +0000 Received: from smtp.drg-texas.com (smtp.drg-texas.com [63.76.155.17]) by drg.drgnetwork.com (8.13.8/8.13.8) with ESMTP id mB4EDBgB016643 for ; Thu, 4 Dec 2008 08:13:11 -0600 Received: from holliehollis ([24.32.231.99]) by smtp.drg-texas.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 4 Dec 2008 08:11:40 -0600 From: "Hollie Hollis" To: References: In-Reply-To: Date: Thu, 4 Dec 2008 08:14:20 -0600 Message-ID: <008901c9561a$9a203430$ce609c90$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AclV6+6lX0jE1YzZRJCt8xjBkbNMRwALlZwQ Content-Language: en-us X-OriginalArrivalTime: 04 Dec 2008 14:11:40.0437 (UTC) FILETIME=[3A522450:01C9561A] X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] SSLCipherSuite not disabling export ciphers? We have a few different renditions of Apache installed, a Red Hat rpm version and a manually compiled version, and here's how ours are listed: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP Thus far this set-up has passed PCI compliance scanning. -----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com] Sent: Thursday, December 04, 2008 2:40 AM To: users@httpd.apache.org Subject: [users@httpd] SSLCipherSuite not disabling export ciphers? Can someone tell me if the SSLCipherSuite directive has any known issues with not fully adhering to what it is given? I've been trying to make a server pci compliant by disabling all weak SSL ciphers and whatever I try is not disabling the export grade ciphers. I'm using: SSLCipherSuite HIGH:MEDIUM yet even after doing that, these six continue to work fine when I test them: EDH-RSA-DES-CBC-SHA 56 bit DES-CBC-SHA 56 bit EXP-EDH-RSA-DES-CBC-SHA 40 bit EXP-DES-CBC-SHA 40 bit EXP-RC2-CBC-MD5 40 bit EXP-RC4-MD5 40 bit I've altered my directive to have !EXP and even to have each of those six ciphers above explicitly excluded yet they remain enabled. Thanks, David --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org