httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Pasher <just...@newmediagateway.com>
Subject Re: [users@httpd] Using SSLCipherSuite to restrict to faster cipher algorithms
Date Wed, 16 Dec 2009 18:00:33 GMT
Fran├žois Beaune wrote:
> Sorry, I had overlooked your suggestion.  Here's the output of the script:
>
> $ ./openssl_check.sh svn.mydomain.net <http://svn.mydomain.net>
> Checking svn.mydomain.net:443 <http://svn.mydomain.net:443> ...
>   + EXP1024-RC4-SHA at Server public key is 2048 bit
>   + EXP1024-DES-CBC-SHA at Server public key is 2048 bit
>   + DHE-RSA-AES256-SHA at Server public key is 2048 bit
>   + AES256-SHA at Server public key is 2048 bit
>   + DHE-RSA-AES128-SHA at Server public key is 2048 bit
>   + AES128-SHA at Server public key is 2048 bit
>   + EDH-RSA-DES-CBC3-SHA at Server public key is 2048 bit
>   + EDH-RSA-DES-CBC-SHA at Server public key is 2048 bit
>   + EXP-EDH-RSA-DES-CBC-SHA at Server public key is 2048 bit
>   + DES-CBC3-SHA at Server public key is 2048 bit
>   + DES-CBC-SHA at Server public key is 2048 bit
>   + EXP-DES-CBC-SHA at Server public key is 2048 bit
>   + EXP-RC2-CBC-MD5 at Server public key is 2048 bit
>   + RC4-SHA at Server public key is 2048 bit
>   + RC4-MD5 at Server public key is 2048 bit
>   + EXP-RC4-MD5 at Server public key is 2048 bit
>   + EXP-RC2-CBC-MD5 at Server public key is 2048 bit
>   + EXP-RC4-MD5 at Server public key is 2048 bit
>   + RC4-MD5 at Server public key is 2048 bit
>
> I suspect this isn't correct though, as the list stays the same 
> regardless of how I set SSLCipherSuite (I did restart Apache after 
> each change to SSLCipherSuite).  Either I'm not using the script 
> correctly, or I'm not setting SSLCipherSuite correctly, or I'm doing 
> another error.  Any idea?

Everything with a plus sign is a cipher that is accepted by your apache 
server, so given these results, the SSLCipherSuite directive is not 
being registered.

Here is the SSLCipherSuite directive that I use on my servers to lock 
out insecure ciphers:

SSLCipherSuite AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5

Try setting your config to this value. Obviously this is different than 
what you are trying to accomplish, but right now the goal is to figure 
out whether the SSLCipherSuite directive is actually being acknowledged. 
When you run the openssl_check.sh script again, it should return the 
following results:

  + AES256-SHA at Server public key is 1024 bit
  + AES128-SHA at Server public key is 1024 bit
  + DES-CBC3-SHA at Server public key is 1024 bit
  + RC4-SHA at Server public key is 1024 bit
  + RC4-MD5 at Server public key is 1024 bit
  + RC4-MD5 at Server public key is 1024 bit

If you see anything different, then the SSLCipherSuite is not being set 
properly. Double check that you don't have multiple SSLCipherSuite 
directives set across different files. Also make sure you are not 
accidentally setting it within an unintentional container, such as 
<Directory> or <VirtualHost>. I know that on CentOS, the default config 
file that has the SSL directives actually contains the SSLCipherSuite 
directive within a <VirtualHost> container. That threw me off recently 
when I was trying to setup apache on a CentOS box for the first time.

-- 
Justin Pasher

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message