Re: SSL cipher suite modification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


----- Original Message -----
> Hello ,
> 
> Currently we are using the following ciphersuite in our httpd.conf
> file.
> 
> SSLCipherSuite
> !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 
> But our new client does not support the RC4+RSA cipher tag. They
> support DES-CBC-SHA tag.
> 
> However, There are many other clinets using the RC4+RSA tag. So I
> would like to know, How to append the DES-CBC-SHA tag to the
> existing ciphersuite, Without changing the configuration.
> 
> Please let me know the SSLCIpherSuite that is valid for both RC4+RSA
> and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by
> SSLv3.
> 
> Kindly let me know if you need any further information.

How about something like?

  SSLCipherSuite !ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLHonorCipherOrder on

Although, frankly.. I'd probably not set +LOW or +SSLv2.. or anything below MEDIUM.
Or containing MD5 :-S

  SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
  SSLHonorCipherOrder on


But it doesn't really matter, the result of adding !MD5 will result in a very
limited set if  DES-CBC-SHA and RC4+RSA is your lowest entry:

  igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
  DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
  RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
  igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA'
  DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
  RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
  igalic@tynix ~ % 



Adding MD5 makes the situation worse, IMO.

I think you need to fix this. This is a problem.

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux