httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gabriele Paggi <gabriele.pa...@ordanomade.org>
Subject [users@httpd] [mod_ssl] SSLCipherSuite ignored?
Date Tue, 23 Nov 2010 21:10:28 GMT
Hello,

This is my first mail here and I've been suggested to write here after 
posting on alt.comp.apache.configuration.

I'm trying to limit the amount of ciphers used by mod_ssl and I'm running:
- Apache 2.2.3
- mod_ssl-2.2.3-22
- OpenSSL 0.9.8e-fips-rhel5
on RHEL 5.3.

My server-wide mod_ssl cipher suite configuration line is:
SSLCipherSuite ALL:!ADH:!EXP-DES-CBC-SHA:!EXP:!SSLv2:RC4+RSA:+HIGH:
+MEDIUM:!LOW
I don't have per-vhost mod_ssl configuration that could override it.

For this SSLCipherSuite list, the following ciphers should be
accepted:
[root@t]# openssl ciphers -v 'ALL:!ADH:!EXP-DES-CBC-SHA:!EXP:!
SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW'
DHE-RSA-AES256-SHA	SSLv3 Kx=DH	Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA	SSLv3 Kx=DH	Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA	 	SSLv3 Kx=RSA	Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA	SSLv3 Kx=DH	Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA 	SSLv3 Kx=DH	Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA 		SSLv3 Kx=RSA	Au=RSA Enc=AES(128) Mac=SHA1
KRB5-DES-CBC3-MD5 	SSLv3 Kx=KRB5	Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA 	SSLv3 Kx=KRB5	Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA 	SSLv3 Kx=DH	Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA 	SSLv3 Kx=DH	Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA 		SSLv3 Kx=RSA	Au=RSA Enc=3DES(168) Mac=SHA1
KRB5-RC4-MD5 		SSLv3 Kx=KRB5	Au=KRB5 Enc=RC4(128) Mac=MD5
KRB5-RC4-SHA 		SSLv3 Kx=KRB5	Au=KRB5 Enc=RC4(128) Mac=SHA1
RC4-SHA 		SSLv3 Kx=RSA	Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 		SSLv3 Kx=RSA	Au=RSA Enc=RC4(128) Mac=MD5

Using sslscan (or manually trying each cipher by hand with the
openssl_client), I see indeed the following list:
[gpaggi@t32 ~]$ sslscan 10.x.xx.xx | grep -i acc
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5

I've been struggling on this for a while, either trying to add only
the ciphers I would like to see (without using aliases like EXP) or,
the other way around, removing the unwanted.
Either way the accepted ciphers list I see via sslscan is always the
same.

What I would like to do is to get rid of the EXP-* ciphers and the
ones with a key < 128 bits.
I've tried to include !EXPORT40 and !EXPORT56 with the same results
reported by sslscan as the one shown above.
Any suggestion on how to accomplish this is more than welcome!

Thanks!

Gabriele Paggi

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message