Re: [users@httpd] [mod_ssl] SSLCipherSuite ignored?

Wed, 24 Nov 2010 00:15:37 -0800 

Hello,

First of all, thank you for your reply!

> First off: try some HIGH settings, like:
> openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5'

Done:

[r...@t conf.d]# grep -i 'sslciphersuite' ssl.conf
#SSLCipherSuite ALL:!ADH:!EXP-DES-CBC-SSLCipherSuite
RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5
[r...@vm189 conf.d]#

> Does it change sslscan's output?

Unfortunately the output it's still the same:

[gpa...@t32 ~]$ sslscan 10.x.xx.xx | grep -i acc
    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  56 bits   DES-CBC-SHA
    Accepted  SSLv3  40 bits   EXP-DES-CBC-SHA
    Accepted  SSLv3  40 bits   EXP-RC2-CBC-MD5
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  SSLv3  40 bits   EXP-RC4-MD5
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  40 bits   EXP-RC4-MD5
[gpa...@t32 ~]$

> second: Are you restarting the server?

Yes of course.
AFAIK a graceful restart should be sufficient but, anyway, I'm doing my
tests following the configuration changes with a full restart.

I'm quite sure I'm missing something obvious, but I can't really figure
out what.

Gabriele Paggi


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
   "   from the digest: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to