Return-Path: 
 <users-return-108028-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-users-archive@www.apache.org
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 41D1010787
	for <apmail-httpd-users-archive@www.apache.org>;
 Wed,  4 Dec 2013 16:39:18 +0000 (UTC)
Received: (qmail 68770 invoked by uid 500); 4 Dec 2013 16:39:14 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 68478 invoked by uid 500); 4 Dec 2013 16:39:12 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 68470 invoked by uid 99); 4 Dec 2013 16:39:11 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Dec 2013 16:39:11 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of daniel.theodoro@gmail.com
 designates 209.85.216.171 as permitted sender)
Received: from [209.85.216.171] (HELO mail-qc0-f171.google.com)
 (209.85.216.171)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Dec 2013 16:39:05 +0000
Received: by mail-qc0-f171.google.com with SMTP id c9so2329320qcz.2
        for <users@httpd.apache.org>; Wed, 04 Dec 2013 08:38:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=B80lmWu1uZ8LBuqOZMYGfRFyHpNmVk/1QPVKOPXBj1s=;
        b=Nd7shacLEc2ttGvT0ECNLxYv8ouUo79iputzLM36jIbV9cOOCWARJnr5b3srRLT7AM
         trU14ZK3Bp5/iRuSPBbg0q/JyIZhCIUmK8YUnpCEgaPpDRYxfQTZh1VwoAeWck1cj5y0
         XvX356TqLYssDKFzAbnPPqjETk+y/CAXBH+Ev/5ZXoSto23bFmfUyof1WrXL76pJ11vp
         GzY3i67B5Pr9+e04Eej2GE4Wi/XQJFDClleUMcBKcEpjX1wJdA9gM2p22POMrKlp/Ulx
         xVI4+sZNSnpV/uZ+ychBvXmZFyqt4iqbgmFkKGPPEPQa+hJhcPnzzVwu49mGTlOgn0Sc
         fePw==
MIME-Version: 1.0
X-Received: by 10.224.95.10 with SMTP id b10mr141040538qan.6.1386175124898;
 Wed, 04 Dec 2013 08:38:44 -0800 (PST)
Received: by 10.229.69.197 with HTTP; Wed, 4 Dec 2013 08:38:44 -0800 (PST)
In-Reply-To: <507749E5-104C-49B0-A06C-EA014568CB32@kreme.com>
References: <507749E5-104C-49B0-A06C-EA014568CB32@kreme.com>
Date: Wed, 4 Dec 2013 14:38:44 -0200
Message-ID: 
 <CAE9kxh7-Ch-G1XPWRpXxwZ7qUq=x++Zh2Lp6TiMN_cpmXmaarw@mail.gmail.com>
From: Theodoro <daniel.theodoro@gmail.com>
To: users@httpd.apache.org
Content-Type: multipart/alternative; boundary=001a11c30948ea884c04ecb80baa
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] Checking SSLCiphersuite?

--001a11c30948ea884c04ecb80baa
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Hi,

Try run this command nmap --script ssl-cert,ssl-enum-ciphers 1.1.1.1 -p 443


On Wed, Dec 4, 2013 at 1:23 PM, LuKreme <kremels@kreme.com> wrote:

> How do I checks what ciphers are available to the https compiled binary,
> and how do I check with of those are active in the configuration?
>
> Is there any technical reason that ECDHE-RSA-AES128-SHA256 cannot be used
> on a server with a self-signed cert (there's no e-commerce or any financi=
al
> data of any sort on the server).
>
> If an existing server wants to switch so that all traffic is encrypted
> using DH if possible (interested in implementing Perfect Forward Secrecy)
> are there any "Gotcha's" lurking in the bushes?
>
> If you enable ECDHE-RSA-AES128-SHA256, should you disable EDH?
>
> To be accessible for most people (including some Windows XP users), what
> else do I need to enable in the cipher suite? RC4? RC4-SHA? TLSv1? AES?
>
> Which ones do I need to avoid?
>
> --
> It's like looking for the farmer's daughter in a haystack, and finding
> the needle.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


--=20
Daniel Theodoro
Cel: 11 9-9399-3364
http://www.linkedin.com/in/danieltheodoro

=95 RHCE - Red Hat Certified Engineer
=95 LPIC-3 - Senior Level Linux Certification
=95 Novell Certified Linux Administrator - Suse 11
=95 Novell Data Center Technical Specialist - Suse 11
=95 OCA - Oracle Enterprise Linux Administrator Certified Associate
expertise :
EX436 - Red Hat Enterprise Clustering and Storage Management,

--001a11c30948ea884c04ecb80baa
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,=A0<div><br></div><div>Try run this command=A0<span sty=
le=3D"background-color:rgb(249,249,249);color:rgb(0,0,0);font-family:monosp=
ace,Courier;font-size:13px;line-height:1.3em">nmap --script ssl-cert,ssl-en=
um-ciphers 1.1.1.1 -p 443</span></div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Wed,=
 Dec 4, 2013 at 1:23 PM, LuKreme <span dir=3D"ltr">&lt;<a href=3D"mailto:kr=
emels@kreme.com" target=3D"_blank">kremels@kreme.com</a>&gt;</span> wrote:<=
br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left=
:1px #ccc solid;padding-left:1ex">
How do I checks what ciphers are available to the https compiled binary, an=
d how do I check with of those are active in the configuration?<br>
<br>
Is there any technical reason that ECDHE-RSA-AES128-SHA256 cannot be used o=
n a server with a self-signed cert (there&#39;s no e-commerce or any financ=
ial data of any sort on the server).<br>
<br>
If an existing server wants to switch so that all traffic is encrypted usin=
g DH if possible (interested in implementing Perfect Forward Secrecy) are t=
here any &quot;Gotcha&#39;s&quot; lurking in the bushes?<br>
<br>
If you enable ECDHE-RSA-AES128-SHA256, should you disable EDH?<br>
<br>
To be accessible for most people (including some Windows XP users), what el=
se do I need to enable in the cipher suite? RC4? RC4-SHA? TLSv1? AES?<br>
<br>
Which ones do I need to avoid?<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
It&#39;s like looking for the farmer&#39;s daughter in a haystack, and find=
ing<br>
the needle.<br>
<br>
<br>
---------------------------------------------------------------------<br>
To unsubscribe, e-mail: <a href=3D"mailto:users-unsubscribe@httpd.apache.or=
g">users-unsubscribe@httpd.apache.org</a><br>
For additional commands, e-mail: <a href=3D"mailto:users-help@httpd.apache.=
org">users-help@httpd.apache.org</a><br>
<br>
</font></span></blockquote></div><br><br clear=3D"all"><div><br></div>-- <b=
r>Daniel Theodoro<br>Cel: 11 9-9399-3364<div><a href=3D"http://www.linkedin=
.com/in/danieltheodoro" target=3D"_blank">http://www.linkedin.com/in/daniel=
theodoro</a><br>
<br>=95 RHCE - Red Hat Certified Engineer<br><div><span style=3D"font-famil=
y:Arial,Helvetica,&#39;Nimbus Sans L&#39;,sans-serif;font-size:13px;line-he=
ight:15px"></span>=95=A0<span style=3D"color:rgb(51,51,51);font-family:Helv=
etica,FreeSans,&#39;Liberation Sans&#39;,Helmet,Arial,sans-serif;font-size:=
12.800000190734863px;line-height:17px;background-color:rgb(255,255,255)">LP=
IC-3 - Senior Level Linux Certification</span><br>

=95 Novell Certified Linux Administrator - Suse 11<br>
=95 Novell Data Center Technical Specialist - Suse 11<br>
=95 OCA - Oracle Enterprise Linux Administrator Certified Associate<br>
expertise : <br>
EX436 - Red Hat Enterprise Clustering and Storage Management,
</div></div>
</div>

--001a11c30948ea884c04ecb80baa--