On Wed, Dec 16, 2009 at 5:03 PM, Justin Pasher
<justinp@newmediagateway.com>wrote:
> François Beaune wrote:
>
>> Hey Justin,
>>
>> Thanks for your answer. I did add the various versions of the
>> SSLCipherSuite directive to my virtual host container, sorry if that wasn't
>> clear.
>>
>> In the meantime I found that, by inspecting the handshake between
>> TortoiseSVN and Apache, the connection does use RC4, which is good. Still,
>> I don't understand why this doesn't happen with Firefox (it always uses AES
>> 256, which shouldn't be allowed, if I understand things correctly). Any
>> clue?
>>
>
> Did you try running the shell script to verify that the server is correctly
> applying the SSLCipherSuite directive and only offering the ciphers you have
> allowed?
>
>
> http://www.lazorsoftware.com/lazorsoft/files/openssl_check.sh
>
>
Sorry, I had overlooked your suggestion. Here's the output of the script:
$ ./openssl_check.sh svn.mydomain.net
Checking svn.mydomain.net:443 ...
 DHEDSSRC4SHA
 EXP1024DHEDSSRC4SHA
+ EXP1024RC4SHA at Server public key is 2048 bit
 EXP1024DHEDSSDESCBCSHA
+ EXP1024DESCBCSHA at Server public key is 2048 bit
 ADHAES256SHA
+ DHERSAAES256SHA at Server public key is 2048 bit
 DHEDSSAES256SHA
+ AES256SHA at Server public key is 2048 bit
 ADHAES128SHA
+ DHERSAAES128SHA at Server public key is 2048 bit
 DHEDSSAES128SHA
+ AES128SHA at Server public key is 2048 bit
 EXPKRB5RC4MD5
 EXPKRB5RC2CBCMD5
 EXPKRB5DESCBCMD5
 EXPKRB5RC4SHA
 EXPKRB5RC2CBCSHA
 EXPKRB5DESCBCSHA
 KRB5RC4MD5
 KRB5DESCBC3MD5
 KRB5DESCBCMD5
 KRB5RC4SHA
 KRB5DESCBC3SHA
 KRB5DESCBCSHA
 ADHDESCBC3SHA
 ADHDESCBCSHA
 EXPADHDESCBCSHA
 ADHRC4MD5
 EXPADHRC4MD5
+ EDHRSADESCBC3SHA at Server public key is 2048 bit
+ EDHRSADESCBCSHA at Server public key is 2048 bit
+ EXPEDHRSADESCBCSHA at Server public key is 2048 bit
 EDHDSSDESCBC3SHA
 EDHDSSDESCBCSHA
 EXPEDHDSSDESCBCSHA
+ DESCBC3SHA at Server public key is 2048 bit
+ DESCBCSHA at Server public key is 2048 bit
+ EXPDESCBCSHA at Server public key is 2048 bit
+ EXPRC2CBCMD5 at Server public key is 2048 bit
+ RC4SHA at Server public key is 2048 bit
+ RC4MD5 at Server public key is 2048 bit
+ EXPRC4MD5 at Server public key is 2048 bit
 DESCBC3MD5
 DESCBCMD5
+ EXPRC2CBCMD5 at Server public key is 2048 bit
 RC2CBCMD5
+ EXPRC4MD5 at Server public key is 2048 bit
+ RC4MD5 at Server public key is 2048 bit
 NULLSHA
 NULLMD5
I suspect this isn't correct though, as the list stays the same regardless
of how I set SSLCipherSuite (I did restart Apache after each change to
SSLCipherSuite). Either I'm not using the script correctly, or I'm not
setting SSLCipherSuite correctly, or I'm doing another error. Any idea?
Thanks for your help.
Cheers,
Franz
