Re: SSL cipher suite modification

[aparna Puram <aparnapuram@xxxxxxxxx>]

Hi Igor,

Thanks a zillion.

I understand from your mail that the following 2 cipher suites will work with the existing and the new clinet configurations.

Kindly correct me if I m wrong.

1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM

However the first cipher suite contains MD5, which is not preferable due to security reasons.

Hence we can use the second cipher, which is same as the first cipher(both the clients those who are using RC4+RSA and the DES-CBC-SHA will be able to have a successful ssl handshake), but this one is more secured compared to the first one.

If we add the second cipher suite. does the configuration look as following ? : 
SSLProtocol +SSLv3
 SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
 SSLHonorCipherOrder on

Please let me know if I m not clear.

2011/12/7 Igor Galić <i.galic@xxxxxxxxxxxxxx>

----- Original Message -----
> Hello ,
>
> Currently we are using the following ciphersuite in our httpd.conf
> file.
>
> SSLCipherSuite
> !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> But our new client does not support the RC4+RSA cipher tag. They
> support DES-CBC-SHA tag.
>
> However, There are many other clinets using the RC4+RSA tag. So I
> would like to know, How to append the DES-CBC-SHA tag to the
> existing ciphersuite, Without changing the configuration.
>
> Please let me know the SSLCIpherSuite that is valid for both RC4+RSA
> and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by
> SSLv3.
>
> Kindly let me know if you need any further information.

How about something like?

 SSLCipherSuite !ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLHonorCipherOrder on

Although, frankly.. I'd probably not set +LOW or +SSLv2.. or anything below MEDIUM.
Or containing MD5 :-S

 SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
 SSLHonorCipherOrder on


But it doesn't really matter, the result of adding !MD5 will result in a very
limited set if  DES-CBC-SHA and RC4+RSA is your lowest entry:

 igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
 DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
 RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
 igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA'
 DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
 RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
 igalic@tynix ~ %



Adding MD5 makes the situation worse, IMO.

I think you need to fix this. This is a problem.

i

--
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx