httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Crypto Sal <crypto....@gmail.com>
Subject Re: [users@httpd] Is it okay to not use exportable ciphers?
Date Fri, 21 Aug 2009 00:31:00 GMT
On 08/20/2009 03:40 PM, Brian Mearns wrote:
> On Thu, Aug 20, 2009 at 3:24 PM, Sander Temme<sctemme@apache.org>  wrote:
>    
>> On Aug 20, 2009, at 3:16 PM, Brian Mearns wrote:
>>
>>      
>>> For the sake of security, I'd like to configure my SSL/TLS server to
>>> not allow export level ciphers (using the SSLCipherSuite directive).
>>> Is this going to realistically limit the number of people who can use
>>> a secure connection to my site? Specifically, will visitors from other
>>> countries (outside the US) be able to support the stronger
>>> (non-exportable) ciphers?
>>>        
>>
>> You can configure a logfile to record what ciphers your users are currently
>> using, and draw conclusions from that.
>>
>> S.
>>      
> [clip]
>
> Good idea, but I'm not currently getting many users. I'm thinking in
> the long term, I don't want to lock out potential visitors just
> because they're using weak crypto.
>
> -Brian
>
>    


Brian,

Have you considered using Apache's "SGC"? There's a nice little blurb 
about it in the Apache Docs.[ 
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#upgradeenc ]

"How can I create an SSL server which accepts strong encryption only, 
but allows export browsers to upgrade to stronger encryption?"

--Sal


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message