I would like clarification as to whether the SSLProtocol directive is absolutely necessary when trying to achieve the highest level of security when configuring Apache.
Can the SSLCipherSuite directive overwrite what is designated in the SSLProtocol directive?
For example: SSLProtocol SSLv2 SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL Would the SSLCipherSuite directive above prevent SSLv2 from being used? Thanks in advance. On Jul 27, 2009, at 9:02 AM, Capstone wrote:
I guess I may be confused as to the relationship between these to directives in the Apache 2 httpd.conf file.Specifically, will SSLCipherSuite directive take precedence over the SSLProtocol directive?For Example;If I have omitted the SSLProtocol directive entirely. But I have something like this in my SSLCipherSuite directive,SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL Does this not allow any SSLv2 traffic to my server? Any info or help is greatly appreciated. ---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|