httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aparna Puram <aparnapu...@gmail.com>
Subject Re: [users@httpd] SSL cipher suite modification
Date Thu, 08 Dec 2011 07:08:28 GMT
Hello Igor,

Thanks a lot for excellent suggestion...

We will raise this concern to our client. However, There are many third
party servers that are connecting to our webserver, This will take time I
guess.

Hence we will try configuring the following for time being and check if the
new client with DES-CBC-SHA is able to connect to our webserver.

!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM

I will again need your help, If the new client is unable to connect.

THanks again...

2011/12/8 Igor Galić <i.galic@brainsware.org>

>
>
> ----- Original Message -----
> > Hi Igor,
> >
> > Thanks a zillion.
> >
> > I understand from your mail that the following 2 cipher suites will
> > work with the existing and the new clinet configurations.
> >
> > Kindly correct me if I m wrong.
> >
> >
> 1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > 2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
> >
> > However the first cipher suite contains MD5, which is not preferable
> > due to security reasons.
> >
> > Hence we can use the second cipher, which is same as the first
> > cipher(both the clients those who are using RC4+RSA and the
> > DES-CBC-SHA will be able to have a successful ssl handshake), but
> > this one is more secured compared to the first one.
> >
> > If we add the second cipher suite. does the configuration look as
> > following ? :
> > SSLProtocol +SSLv3
> > SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
> > SSLHonorCipherOrder on
>
> igalic@tynix ~ % openssl ciphers -v '
> !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
> DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
> RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
> igalic@tynix ~ %
>
> SSLProtocol +SSLv3 is not very useful in this case, because
> SSLProtocol defaults to "all", so, to all, you're adding SSLv3,
> but that's already contained in "all", so it'll be ignored.
>
> One way or the other, the ciphersuite you're selecting will give you SSLv3
> *only* anyway! AND it will limit you to exactly two ciphers. In effect,
> this:
>
> does the same:
>
> igalic@tynix ~ % openssl ciphers -v '!MD5:DES-CBC-SHA:RC4+RSA'
> DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
> RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
> igalic@galic %
>
> > Please let me know if I m not clear.
>
>
> My question is still: Why do you have to narrow your cipher suite down
> *so* much? - Is there a sane way to upgrade the clients such that they
> support modern, more secure, or just: *more* ciphers?
>
> i
>
> --
> Igor Galić
>
> Tel: +43 (0) 664 886 22 883
> Mail: i.galic@brainsware.org
> URL: http://brainsware.org/
> GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message