ALL means include all ciphers. You'd then omit with ! To replace DH w/RSA I think you could do !ADH:+RSA I recommend using the SSL utility at http://serversniff.net to confirm On Thu, Jun 16, 2011 at 11:02:30PM +0800, sunhux G wrote: > Hi > > Further to the post, what's the correct syntax to replace DH > with RSA encryption? > > Choose which of the options below are correct: > 1) SSLCipherSuite ALL:!ADH:RC4+RSA:HIGH:MEDIUM: > !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM > 2) SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM: > !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM > 3) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM: > !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM > 4) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM: > !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM > 5) SSLCipherSuite !ADH:RC4+RSA: > !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM > > What does ALL represent? > > Thanks > > On Sun, May 29, 2011 at 10:48 PM, sunhux G <sunhux@xxxxxxxxx> wrote: > > I'm newbie to encryption & beginner to Apache. > > > > > > Length: 81 > > Handshake Protocol: Server Hello > > Handshake Type: Server Hello (2) > > Length: 77 > > Version: TLS 1.0 (0x0301) > > Random > > gmt_unix_time: May 23, 2011 11:01:51.0000000000 > > random_bytes: C0C48BA2..... > > Session ID Length: 32 > > Session ID: 53283989... > > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0X0039) <== > > > > Above is an extract of a data traffic sniffed using a product which > > I'm evaluating. > > > > I have a requirement to use a sniffing product (which I connect to our > > internal LAN) to capture users access to our website portal to check > > which pages the user access & the time a user login / logout & SSL > > https encryption is involved. However, to do this, I'll need to do > > decryption. > > > > My Apache web servers appear to be configured to use "Diffie-Hellman" key > > exchange. This can be verified by looking at the Server Hello packets and > > viewing the Cipher Suite (as shown in above traffic capture). "DHE" means > > Diffie-Hellman key exchange. > > > > I suppose this means the shared private key from the web server is not used. > > In Diffie-Hellman key exchange, the private key for each session is created > > dynamically between the client and server, and is therefore technically > > impossible to decrypt : correct me if I'm wrong. Refer to links / urls below > > on why DH key exchange makes SSL decryption impossible: > > - http://www.unleashnetworks.com/blog/?p=28 > > - http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/ > > > > In my Apache config file, there's a line below: > > SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM > > > > > > Question: > > Which alternative cipher provides the same encryption/key strength - > > just doesn't use Diffie-Hellman for key exchange? > > > > How should I amend my Apache config file so that it replaces Diffie-Hellman > > with this new encryption? Pls provide as precise the instruction as possible > > & whether I need to do "service httpd restart" or "service httpd reload"? > > > > Any alternative proposed should not flag out as vulnerability during a > > vulnerability scan. > > > > > > Then I would be able to use the promiscuous mode sniffing device to see a > > user logins & the slow pages that he accessed etc > > > > > > Thanks > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|