Re: Two SSL directives appear to be not working with SSL Labs server test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Aug 7, 2012 at 7:46 AM, Eric Covener <covener@xxxxxxxxx> wrote:
> On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder@xxxxxxxxx> wrote:
>> I have been checking my Apache 2.2.14 server with this link:
>>
>>   https://www.ssllabs.com/ssltest/index.html
...
>>   Cipher Suites (sorted by strength; server has no preference)
>
> I'm not sure how the tool can make that determination. SSLv3-and-later
> allows the server to pick any cipher out of the intersection of what's
> supported by both ends

According to the site's docs (a post by Ivan Ristic), they do this, quote:

In the nutshell, here is what we do:

1. Send a list of cipher suites we wish to test (the list contains
only the suites we know are supported)

2. If the server selects a suite that's not first on the list, we know
it has a preference for it

3. If the server selects a sute that is first on the list, we put it
at the end of the list and send the list again (if the server really
has a preference for that suite, it will choose it even when the suite
is at the bottom of the list.

4. We remove the selected suite from the list and repeat the process
until we run out of suites

End quote.

>> I have the following in my server block:
>>
>>   SSLProtocol all -SSLv2
>>   SSLHonorCipherOrder On
>>   # disallow DH ciphers
>>   SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH
>>
>> It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite"
>> directives aren't working according to the test report.
>
> What does the following report on your system?
>
>   openssl ciphers 'HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH'

I get this response:

  RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA

> Although I also now notice you disabled MD5 but the scan reported
> rc4-md5. Are you sure it scanned your actual system and you're in the
> right vhost?

Well, as near as I know how to tell.  The report does correctly report
my host and other details, so I assume it's finding the directives in
that block.  I do have multiple vhosts, and I will see if I can put
those directives in a more general (higher) location.

I'm working on moving to openssl 1.0.1c and Apache 2.4.3, but I'm not
moving very fast.

Thanks for the reply, Eric.

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux