httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fran├žois Beaune <>
Subject Re: [users@httpd] Using SSLCipherSuite to restrict to faster cipher algorithms
Date Thu, 17 Dec 2009 10:57:53 GMT
On Wed, Dec 16, 2009 at 7:00 PM, Justin Pasher


Here is the SSLCipherSuite directive that I use on my servers to lock out
> insecure ciphers:
> Try setting your config to this value. Obviously this is different than
> what you are trying to accomplish, but right now the goal is to figure out
> whether the SSLCipherSuite directive is actually being acknowledged. When
> you run the script again, it should return the following
> results:
>  + AES256-SHA at Server public key is 1024 bit
>  + AES128-SHA at Server public key is 1024 bit
>  + DES-CBC3-SHA at Server public key is 1024 bit
>  + RC4-SHA at Server public key is 1024 bit
>  + RC4-MD5 at Server public key is 1024 bit
>  + RC4-MD5 at Server public key is 1024 bit
> If you see anything different, then the SSLCipherSuite is not being set
> properly. Double check that you don't have multiple SSLCipherSuite
> directives set across different files. Also make sure you are not
> accidentally setting it within an unintentional container, such as
> <Directory> or <VirtualHost>. I know that on CentOS, the default config file
> that has the SSL directives actually contains the SSLCipherSuite directive
> within a <VirtualHost> container. That threw me off recently when I was
> trying to setup apache on a CentOS box for the first time.

I'm still getting the same list, even if I use the SSLCipherSuite you
suggested, so it's clearly not used.

On my side (in my subdomain's configuration), I only have one
SSLCipherSuite occurrence, inside the <VirtualHost> container I shown
earlier in this thread (and it's not in a <Location> or <Directory>

That being said, in /etc/httpd/conf.d/ssl.conf, there is another occurrence:

    <VirtualHost _default_:443>
        SSLEngine on
        SSLProtocol all -SSLv2

Shouldn't my configuration file have precedence over that?


View raw message