httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sunhux G <sun...@gmail.com>
Subject [users@httpd] Syntax to replace Diffie-Hellman with RSA encryption
Date Thu, 16 Jun 2011 15:02:30 GMT
Hi

Further to the post, what's the correct syntax to replace DH
with RSA encryption?

Choose which of the options below are correct:
1) SSLCipherSuite ALL:!ADH:RC4+RSA:HIGH:MEDIUM:
      !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
2) SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:
      !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
3) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM:
      !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
4) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM:
      !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
5) SSLCipherSuite !ADH:RC4+RSA:
      !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

What does ALL represent?

Thanks

On Sun, May 29, 2011 at 10:48 PM, sunhux G <sunhux@gmail.com> wrote:
> I'm newbie to encryption & beginner to Apache.
>
>
> Length: 81
> Handshake Protocol: Server Hello
>  Handshake Type: Server Hello (2)
>  Length: 77
>  Version: TLS 1.0 (0x0301)
>  Random
>     gmt_unix_time: May 23, 2011 11:01:51.0000000000
>     random_bytes: C0C48BA2.....
>   Session ID Length: 32
>   Session ID: 53283989...
>   Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0X0039)    <==
>
> Above is an extract of a data traffic sniffed using a product which
> I'm evaluating.
>
> I have a requirement to use a sniffing product (which I connect to our
> internal LAN) to capture users access to our website portal to check
> which pages the user access & the time a user login / logout &  SSL
> https encryption is involved.  However, to do this, I'll need to do
> decryption.
>
> My Apache web servers appear to be configured to use "Diffie-Hellman"  key
> exchange.  This can be verified by looking at the Server Hello packets and
> viewing the Cipher Suite (as shown in above traffic capture).  "DHE" means
> Diffie-Hellman key exchange.
>
> I suppose this means the shared private key from the web server is not used.
> In Diffie-Hellman key exchange, the private key for each session is created
> dynamically between the client and server, and is therefore technically
> impossible to decrypt : correct me if I'm wrong.  Refer to links / urls below
>  on why DH key exchange makes SSL decryption impossible:
>  - http://www.unleashnetworks.com/blog/?p=28
>  - http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/
>
> In my Apache config file, there's a line below:
> SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
>
>
> Question:
> Which alternative cipher provides the same encryption/key strength -
> just doesn't use Diffie-Hellman for key exchange?
>
> How should I amend my Apache config file so that it replaces Diffie-Hellman
> with this new encryption?  Pls provide as precise the instruction as possible
> & whether I need to do "service httpd restart" or "service httpd reload"?
>
> Any alternative proposed should not flag out as vulnerability during a
> vulnerability scan.
>
>
> Then I would be able to use the promiscuous mode sniffing device to see a
> user logins & the slow pages that he accessed etc
>
>
> Thanks
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message