httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] SSL cipher suite modification
Date Wed, 07 Dec 2011 20:29:53 GMT


----- Original Message -----
> Hi Igor,
> 
> Thanks a zillion.
> 
> I understand from your mail that the following 2 cipher suites will
> work with the existing and the new clinet configurations.
> 
> Kindly correct me if I m wrong.
> 
> 1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
> 
> However the first cipher suite contains MD5, which is not preferable
> due to security reasons.
> 
> Hence we can use the second cipher, which is same as the first
> cipher(both the clients those who are using RC4+RSA and the
> DES-CBC-SHA will be able to have a successful ssl handshake), but
> this one is more secured compared to the first one.
> 
> If we add the second cipher suite. does the configuration look as
> following ? :
> SSLProtocol +SSLv3
> SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
> SSLHonorCipherOrder on

igalic@tynix ~ % openssl ciphers -v ' !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
igalic@tynix ~ %                                                                         
                                                                               

SSLProtocol +SSLv3 is not very useful in this case, because
SSLProtocol defaults to "all", so, to all, you're adding SSLv3,
but that's already contained in "all", so it'll be ignored.

One way or the other, the ciphersuite you're selecting will give you SSLv3
*only* anyway! AND it will limit you to exactly two ciphers. In effect, this:

does the same:

igalic@tynix ~ % openssl ciphers -v '!MD5:DES-CBC-SHA:RC4+RSA'
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
igalic@galic %

> Please let me know if I m not clear.


My question is still: Why do you have to narrow your cipher suite down
*so* much? - Is there a sane way to upgrade the clients such that they
support modern, more secure, or just: *more* ciphers?

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message