Hi All,
I've been trying to configure an apache server with some SSL restrictions, in
particular to disallow weak encryprion methods. I've follwed the
instructions on the apache site for this,
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html and also looked at the
O'Reilly book Apache Secuity, pages 90-91.
The configuration I have is:
SSLEngine on
SSLCertificateFile <cert file location>
SSLCertificateKeyFile <key file location>
SSLCACertificateFile <CA cert file location>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLProtocol All -SSLv2
# SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
# SSLCipherSuite ALL:!EXP:!NULL:!ADH:+HIGH:+MEDIUM:!LOW
# SSLCipherSuite ALL
# SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
SSLProxyEngine on
All the lines commented out caused Firefox, Mozilla, and Opera to fail to open
a https session. IE and Konqueror worked without problems. With the first
SSLCipherSuite line active, Konqueror used the RC4-MD5, SSLv3 Cipher, IE I
couldn't find out. When I ran the server without the SSLCipherSuite
directive and connected with Firefox, it used the AES 128 bit encryption,
which as I understand should have been allowed when the SSLCipherSuite was
active. Firefox also failed when I used the SSLCipherSuite ALL directive,
however again IE and Konqueror worked.
I'm quite confied as to what is happening here and would like to know if
anyone has any suggestions.
Markus
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|