httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fran├žois Beaune <dict...@gmail.com>
Subject Re: [users@httpd] Using SSLCipherSuite to restrict to faster cipher algorithms
Date Thu, 17 Dec 2009 10:57:53 GMT
On Wed, Dec 16, 2009 at 7:00 PM, Justin Pasher
<justinp@newmediagateway.com>wrote:

[snip]

Here is the SSLCipherSuite directive that I use on my servers to lock out
> insecure ciphers:
>
> SSLCipherSuite AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5
>
> Try setting your config to this value. Obviously this is different than
> what you are trying to accomplish, but right now the goal is to figure out
> whether the SSLCipherSuite directive is actually being acknowledged. When
> you run the openssl_check.sh script again, it should return the following
> results:
>
>  + AES256-SHA at Server public key is 1024 bit
>  + AES128-SHA at Server public key is 1024 bit
>  + DES-CBC3-SHA at Server public key is 1024 bit
>  + RC4-SHA at Server public key is 1024 bit
>  + RC4-MD5 at Server public key is 1024 bit
>  + RC4-MD5 at Server public key is 1024 bit
>
> If you see anything different, then the SSLCipherSuite is not being set
> properly. Double check that you don't have multiple SSLCipherSuite
> directives set across different files. Also make sure you are not
> accidentally setting it within an unintentional container, such as
> <Directory> or <VirtualHost>. I know that on CentOS, the default config file
> that has the SSL directives actually contains the SSLCipherSuite directive
> within a <VirtualHost> container. That threw me off recently when I was
> trying to setup apache on a CentOS box for the first time.


I'm still getting the same list, even if I use the SSLCipherSuite you
suggested, so it's clearly not used.

On my side (in my subdomain's configuration), I only have one
SSLCipherSuite occurrence, inside the <VirtualHost> container I shown
earlier in this thread (and it's not in a <Location> or <Directory>
container).

That being said, in /etc/httpd/conf.d/ssl.conf, there is another occurrence:

    <VirtualHost _default_:443>
        ...
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        ...
    </VirtualHost>

Shouldn't my configuration file have precedence over that?

Cheers,
Franz

Mime
View raw message