Re: Using SSLCipherSuite to restrict to faster cipher algorithms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Dec 16, 2009 at 5:03 PM, Justin Pasher <justinp@xxxxxxxxxxxxxxxxxxx> wrote:
François Beaune wrote:
Hey Justin,

Thanks for your answer.  I did add the various versions of the SSLCipherSuite directive to my virtual host container, sorry if that wasn't clear.

In the meantime I found that, by inspecting the handshake between TortoiseSVN and Apache, the connection does use RC4, which is good.  Still, I don't understand why this doesn't happen with Firefox (it always uses AES 256, which shouldn't be allowed, if I understand things correctly).  Any clue?

Did you try running the shell script to verify that the server is correctly applying the SSLCipherSuite directive and only offering the ciphers you have allowed?


http://www.lazorsoftware.com/lazorsoft/files/openssl_check.sh


Sorry, I had overlooked your suggestion.  Here's the output of the script:

$ ./openssl_check.sh svn.mydomain.net
Checking svn.mydomain.net:443 ...
  - DHE-DSS-RC4-SHA
  - EXP1024-DHE-DSS-RC4-SHA
  + EXP1024-RC4-SHA at Server public key is 2048 bit
  - EXP1024-DHE-DSS-DES-CBC-SHA
  + EXP1024-DES-CBC-SHA at Server public key is 2048 bit
  - ADH-AES256-SHA
  + DHE-RSA-AES256-SHA at Server public key is 2048 bit
  - DHE-DSS-AES256-SHA
  + AES256-SHA at Server public key is 2048 bit
  - ADH-AES128-SHA
  + DHE-RSA-AES128-SHA at Server public key is 2048 bit
  - DHE-DSS-AES128-SHA
  + AES128-SHA at Server public key is 2048 bit
  - EXP-KRB5-RC4-MD5
  - EXP-KRB5-RC2-CBC-MD5
  - EXP-KRB5-DES-CBC-MD5
  - EXP-KRB5-RC4-SHA
  - EXP-KRB5-RC2-CBC-SHA
  - EXP-KRB5-DES-CBC-SHA
  - KRB5-RC4-MD5
  - KRB5-DES-CBC3-MD5
  - KRB5-DES-CBC-MD5
  - KRB5-RC4-SHA
  - KRB5-DES-CBC3-SHA
  - KRB5-DES-CBC-SHA
  - ADH-DES-CBC3-SHA
  - ADH-DES-CBC-SHA
  - EXP-ADH-DES-CBC-SHA
  - ADH-RC4-MD5
  - EXP-ADH-RC4-MD5
  + EDH-RSA-DES-CBC3-SHA at Server public key is 2048 bit
  + EDH-RSA-DES-CBC-SHA at Server public key is 2048 bit
  + EXP-EDH-RSA-DES-CBC-SHA at Server public key is 2048 bit
  - EDH-DSS-DES-CBC3-SHA
  - EDH-DSS-DES-CBC-SHA
  - EXP-EDH-DSS-DES-CBC-SHA
  + DES-CBC3-SHA at Server public key is 2048 bit
  + DES-CBC-SHA at Server public key is 2048 bit
  + EXP-DES-CBC-SHA at Server public key is 2048 bit
  + EXP-RC2-CBC-MD5 at Server public key is 2048 bit
  + RC4-SHA at Server public key is 2048 bit
  + RC4-MD5 at Server public key is 2048 bit
  + EXP-RC4-MD5 at Server public key is 2048 bit
  - DES-CBC3-MD5
  - DES-CBC-MD5
  + EXP-RC2-CBC-MD5 at Server public key is 2048 bit
  - RC2-CBC-MD5
  + EXP-RC4-MD5 at Server public key is 2048 bit
  + RC4-MD5 at Server public key is 2048 bit
  - NULL-SHA
  - NULL-MD5

I suspect this isn't correct though, as the list stays the same regardless of how I set SSLCipherSuite (I did restart Apache after each change to SSLCipherSuite).  Either I'm not using the script correctly, or I'm not setting SSLCipherSuite correctly, or I'm doing another error.  Any idea?

Thanks for your help.

Cheers,
Franz

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux