Re: SSL cipher suite modification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: SSL cipher suite modification
From: aparna Puram <aparnapuram@xxxxxxxxx>
Date: Fri, 9 Dec 2011 14:55:35 +0530
In-reply-to: <20111208140958.GA14677@fantomas.sk>
Reply-to: users@xxxxxxxxxxxxxxxx

Hello Igor/Matus,

Issue is resolved for now after adding the cipher that our client support.

Resolution : They have given the list of ciphers that they support. I have tried using once of the cipher(DES-CBC-SHA) that they said they support. But with this they were unable to connect.

Then I have used the follwoing command to get the protocol and cipher that they have used.

/opt/csw/bin/openssl s_client -connect clinethostname:443 -debug

Then it gave me the protocol that they have used.

SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA

I have added this protocol and cipher to my sslciphersuite. It has enabled them to connect to our webserver.

I have suggested my clinets to upgrade their applications to support SSLv3 and higher protocols.

Thanks a lot Igor, Your input has helped me a lot...:)

On Thu, Dec 8, 2011 at 7:39 PM, Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx> wrote:

On 08.12.11 00:38, aparna Puram wrote:

I understand from your mail that the following 2 cipher suites will work
with the existing and the new clinet configurations.

Kindly correct me if I m wrong.

1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM

However the first cipher suite contains MD5, which is not preferable due to
security reasons.

you disallow md5 due to security reasons, but allow null,export and low ciphers? :-)

I use DEFAULT:!EXP:!LOW and I hope that's enough. you can excloude MD5 from those but I'd like to see your "security" reasons, due to paragraph above.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

References:
- SSL cipher suite modification
  - From: aparna Puram
- Re: SSL cipher suite modification
  - From: Igor Galić
- Re: SSL cipher suite modification
  - From: aparna Puram
- Re: SSL cipher suite modification
  - From: Matus UHLAR - fantomas

Prev by Date: ab not working, saying bind: address family not supported by protocol family 47
Next by Date: Apache not decoding %2f to / in URL
Previous by thread: Re: SSL cipher suite modification
Next by thread: Session cookie
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]

Powered by Linux