httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gabriele Paggi" <>
Subject Re: [users@httpd] [mod_ssl] SSLCipherSuite ignored?
Date Wed, 24 Nov 2010 08:14:48 GMT

First of all, thank you for your reply!

> First off: try some HIGH settings, like:
> openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5'


[root@t conf.d]# grep -i 'sslciphersuite' ssl.conf
#SSLCipherSuite ALL:!ADH:!EXP-DES-CBC-SSLCipherSuite
[root@vm189 conf.d]#

> Does it change sslscan's output?

Unfortunately the output it's still the same:

[gpaggi@t32 ~]$ sslscan 10.x.xx.xx | grep -i acc
    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  56 bits   DES-CBC-SHA
    Accepted  SSLv3  40 bits   EXP-DES-CBC-SHA
    Accepted  SSLv3  40 bits   EXP-RC2-CBC-MD5
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  SSLv3  40 bits   EXP-RC4-MD5
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  40 bits   EXP-RC4-MD5
[gpaggi@t32 ~]$

> second: Are you restarting the server?

Yes of course.
AFAIK a graceful restart should be sufficient but, anyway, I'm doing my
tests following the configuration changes with a full restart.

I'm quite sure I'm missing something obvious, but I can't really figure
out what.

Gabriele Paggi

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message