On September 14, 2011 11:30 , Lee Fisher <fisher.lee@xxxxxxxxx> wrote:
I am looking to disable SSL support for weak ciphers and SSL v2 protocol supportIt seems like SSLCipherSuite directives are not recognized without mod_ssl?Is it necessary to use mod_ssl to disable this?Essentially I am not currently using SSL at all, I just want to prevent any security holes.
The SSL protocol and SSL ciphers are only used if you are using SSL. mod_ssl is what implements SSL for Apache HTTP Server. Thus, if you are not using mod_ssl, you are not using SSL and you do not have to worry about weak ciphers or SSL protocol version 2.
The directives I use to disable SSL v2 and weak ciphers are: SSLProtocol ALL -SSLv2 SSLCipherSuite ALL:!NULL:!LOW:!EXP:!ADH:!MD5Definitely do not enable mod_ssl just to use these directives. It is safer and more secure (if you do not need SSL) to not load mod_ssl at all.
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|