Re: Restricting ciphers

Christopher Schultz Fri, 11 Jan 2013 08:08:19 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,


On 1/10/13 11:00 PM, Martin Gainty wrote:
> 
> http://security.stackexchange.com/questions/7440/what-ciphers-should-i-use-in-my-web-server-after-i-configure-my-ssl-certificate
>
> 
With a RSA key you can nominally use the "RSA" and "DHE_RSA" cipher
suite. But if the server certificate has a Key Usage
> extension which does not include the "keyEncipherment" flag, then
> you are nominally limited to "DHE_RSA". With a DSA key you can use
> only a "DHE_DSS" cipher suite. With a Diffie-Hellman key, you can
> use only one of "DH_RSA" or "DH_DSS", depending on the issuing
> certificate authority key type. your witness

My certificate technical details:

    Signature Algorithm: sha1WithRSAEncryption
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)

$ sslscan [myhost] | grep Accepted

    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5

So, my server with a 2048-bit RSA key with SHA1 signature will accept
all kinds of key exchange schemes (DHE, EDH, etc.), all kinds of block
ciphers (AES, DES, 3DES, RC4), and all kinds of MAC algorithms (SHA1,
MD5).

Your assertion that somehow I'm limited to RSA + SHA1 + some weird
selection of ciphers that are bound to my key or certificate's
technical details is simply false.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDwONUACgkQ9CaO5/Lv0PAZhQCgiwg9ooMWXN8rmu9dCvbyyFrF
SEAAn1GXVnWi37S13DXUY7HNMntBvuYl
=8whg
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Restricting ciphers

Reply via email to