httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aparna Puram <aparnapu...@gmail.com>
Subject Re: [users@httpd] SSL cipher suite modification
Date Wed, 07 Dec 2011 19:08:23 GMT
Hi Igor,

Thanks a zillion.

I understand from your mail that the following 2 cipher suites will work
with the existing and the new clinet configurations.

Kindly correct me if I m wrong.

1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM

However the first cipher suite contains MD5, which is not preferable due to
security reasons.

Hence we can use the second cipher, which is same as the first cipher(both
the clients those who are using RC4+RSA and the DES-CBC-SHA will be able to
have a successful ssl handshake), but this one is more secured compared to
the first one.

If we add the second cipher suite. does the configuration look as following
? :
SSLProtocol +SSLv3
 SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
 SSLHonorCipherOrder on

Please let me know if I m not clear.

2011/12/7 Igor Galić <i.galic@brainsware.org>

>
>
> ----- Original Message -----
> > Hello ,
> >
> > Currently we are using the following ciphersuite in our httpd.conf
> > file.
> >
> > SSLCipherSuite
> > !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > But our new client does not support the RC4+RSA cipher tag. They
> > support DES-CBC-SHA tag.
> >
> > However, There are many other clinets using the RC4+RSA tag. So I
> > would like to know, How to append the DES-CBC-SHA tag to the
> > existing ciphersuite, Without changing the configuration.
> >
> > Please let me know the SSLCIpherSuite that is valid for both RC4+RSA
> > and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by
> > SSLv3.
> >
> > Kindly let me know if you need any further information.
>
> How about something like?
>
>  SSLCipherSuite
> !ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>  SSLHonorCipherOrder on
>
> Although, frankly.. I'd probably not set +LOW or +SSLv2.. or anything
> below MEDIUM.
> Or containing MD5 :-S
>
>  SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
>  SSLHonorCipherOrder on
>
>
> But it doesn't really matter, the result of adding !MD5 will result in a
> very
> limited set if  DES-CBC-SHA and RC4+RSA is your lowest entry:
>
>  igalic@tynix ~ % openssl ciphers -v
> '!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
>  DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
>  RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
>  igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA'
>  DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
>  RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
>  igalic@tynix ~ %
>
>
>
> Adding MD5 makes the situation worse, IMO.
>
> I think you need to fix this. This is a problem.
>
> i
>
> --
> Igor Galić
>
> Tel: +43 (0) 664 886 22 883
> Mail: i.galic@brainsware.org
> URL: http://brainsware.org/
> GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message