httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] SSL cipher suite modification
Date Wed, 07 Dec 2011 14:42:40 GMT


----- Original Message -----
> Hello ,
> 
> Currently we are using the following ciphersuite in our httpd.conf
> file.
> 
> SSLCipherSuite
> !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 
> But our new client does not support the RC4+RSA cipher tag. They
> support DES-CBC-SHA tag.
> 
> However, There are many other clinets using the RC4+RSA tag. So I
> would like to know, How to append the DES-CBC-SHA tag to the
> existing ciphersuite, Without changing the configuration.
> 
> Please let me know the SSLCIpherSuite that is valid for both RC4+RSA
> and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by
> SSLv3.
> 
> Kindly let me know if you need any further information.

How about something like?

  SSLCipherSuite !ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLHonorCipherOrder on

Although, frankly.. I'd probably not set +LOW or +SSLv2.. or anything below MEDIUM.
Or containing MD5 :-S

  SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
  SSLHonorCipherOrder on


But it doesn't really matter, the result of adding !MD5 will result in a very
limited set if  DES-CBC-SHA and RC4+RSA is your lowest entry:

  igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
  DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
  RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
  igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA'
  DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
  RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
  igalic@tynix ~ % 



Adding MD5 makes the situation worse, IMO.

I think you need to fix this. This is a problem.

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message