Using SSLCipherSuite to restrict to faster cipher algorithms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I have a setup where Apache 2.2.3 is serving a large SVN repository with WebDAV over HTTPS (using basic authentication).

Everything is working correctly;  I would simply like to force usage of faster cipher algorithms (trading some security in favor of speed) than what seems to be allowed right now (for instance, AES 256 is used when I connect with Firefox).

My idea is that, by only allowing less secure but faster algorithms, all SVN clients (command-line SVN or TortoiseSVN, for instance) will be forced to use these faster algorithms, thus speeding up SVN operations.

I have played quite a bit with the SSLCipherSuite setting (at the virtual host level), but I apparently cannot manage to force the client to specific algorithms (RC4 for instance).

As an experiment, I have tried that (at the virtual host level):

        SSLProtocol all -SSLv2
        SSLHonorCipherOrder on
        SSLCipherSuite ALL:!ADH:+RC4+RSA:!HIGH:!LOW:!EXP:!NULL

which, if I understand correctly, should force usage of RC4+RSA if available, or other algorithms from the "medium" list:

        $ openssl ciphers -v 'ALL:!ADH:+RC4+RSA:!HIGH:!LOW:!EXP:!NULL'
        DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1
        KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
        KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
        RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
        RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
        RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
        RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5

Yet, Firefox still seems to be able to negotiate using AES 256.  I am puzzled.

Am I using the SSLCipherSuite setting correctly?  Is there a way (possibly another way) to achieve this optimization?  

For information, I am using Apache/2.2.3 and OpenSSL 0.9.8b 04 May 2006 on CentOS release 5.2 (Final).

Here is the relevant part of the virtual host configuration:

<VirtualHost XXX.XXX.XXX.XXX:443>
        ServerName svn.mydomain.net:443
        ServerAdmin "XXX"

        DocumentRoot /var/www/vhosts/mydomain.net/subdomains/svn/httpdocs
        CustomLog  /var/www/vhosts/mydomain.net/statistics/logs/access_ssl_log plesklog
        ErrorLog  /var/www/vhosts/mydomain.net/statistics/logs/error_log

        SSLEngine on
        SSLVerifyClient none
        SSLCertificateFile /usr/local/psa/var/certificates/certVl10777

        <Directory  /var/www/vhosts/mydomain.net/subdomains/svn/httpdocs>
                ...
        </Directory>

        SSLProtocol all -SSLv2
        SSLHonorCipherOrder on

        <Location />
                DAV svn
                SVNPath /var/www/vhosts/mydomain.net/svn/svnrepository
                AuthzSVNAccessFile /var/www/vhosts/mydomain.net/svn/svn-acl-file
                Require valid-user
                AuthType Basic
                AuthName "Subversion Repository"
                AuthUserFile /var/www/vhosts/mydomain.net/svn/svn-auth-file
                SSLRequireSSL
        </Location>
</VirtualHost>

Cheers,
Franz

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux