httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aparna Puram <aparnapu...@gmail.com>
Subject Re: [users@httpd] SSL cipher suite modification
Date Fri, 09 Dec 2011 09:25:35 GMT
Hello Igor/Matus,

Issue is resolved for now after adding the cipher that our client support.

Resolution  : They have given the list of ciphers that they support. I have
tried using once of the cipher(DES-CBC-SHA) that they said they support.
But with this they were unable to connect.

Then I have used the follwoing command to get the protocol and cipher that
they have used.

/opt/csw/bin/openssl s_client -connect clinethostname:443 -debug

Then it gave me the protocol that they have used.

SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA

I have added this protocol and cipher to my sslciphersuite. It has enabled
them to connect to our webserver.

I have suggested my clinets to upgrade their applications to support SSLv3
and higher protocols.

Thanks a lot Igor, Your input has helped me a lot...:)



On Thu, Dec 8, 2011 at 7:39 PM, Matus UHLAR - fantomas <uhlar@fantomas.sk>wrote:

> On 08.12.11 00:38, aparna Puram wrote:
>
>> I understand from your mail that the following 2 cipher suites will work
>> with the existing and the new clinet configurations.
>>
>> Kindly correct me if I m wrong.
>>
>> 1-->!ADH:!EXPORT56:DES-CBC-**SHA:RC4+RSA:+HIGH:+MEDIUM:+**
>> LOW:+SSLv2:+EXP:+eNULL
>> 2-->!ADH:!MD5:DES-CBC-SHA:RC4+**RSA:+HIGH:+MEDIUM
>>
>> However the first cipher suite contains MD5, which is not preferable due
>> to
>> security reasons.
>>
>
> you disallow md5 due to security reasons, but allow null,export and low
> ciphers? :-)
>
> I use DEFAULT:!EXP:!LOW and I hope that's enough. you can excloude MD5
> from those but I'd like to see your "security" reasons, due to paragraph
> above.
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux is like a teepee: no Windows, no Gates and an apache inside...
>
>
> ------------------------------**------------------------------**---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/**userslist.html<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<users-unsubscribe@httpd.apache.org>
>  "   from the digest: users-digest-unsubscribe@**httpd.apache.org<users-digest-unsubscribe@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message