tom.browder at gmail
Aug 7, 2012, 6:05 AM
Post #3 of 3
On Tue, Aug 7, 2012 at 7:46 AM, Eric Covener <covener [at] gmail> wrote:
Re: Two SSL directives appear to be not working with SSL Labs server test
[In reply to]
> On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.browder [at] gmail> wrote:
>> I have been checking my Apache 2.2.14 server with this link:
>> Cipher Suites (sorted by strength; server has no preference)
> I'm not sure how the tool can make that determination. SSLv3-and-later
> allows the server to pick any cipher out of the intersection of what's
> supported by both ends
According to the site's docs (a post by Ivan Ristic), they do this, quote:
In the nutshell, here is what we do:
1. Send a list of cipher suites we wish to test (the list contains
only the suites we know are supported)
2. If the server selects a suite that's not first on the list, we know
it has a preference for it
3. If the server selects a sute that is first on the list, we put it
at the end of the list and send the list again (if the server really
has a preference for that suite, it will choose it even when the suite
is at the bottom of the list.
4. We remove the selected suite from the list and repeat the process
until we run out of suites
>> I have the following in my server block:
>> SSLProtocol all -SSLv2
>> SSLHonorCipherOrder On
>> # disallow DH ciphers
>> SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH
>> It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite"
>> directives aren't working according to the test report.
> What does the following report on your system?
> openssl ciphers 'HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH'
I get this response:
> Although I also now notice you disabled MD5 but the scan reported
> rc4-md5. Are you sure it scanned your actual system and you're in the
> right vhost?
Well, as near as I know how to tell. The report does correctly report
my host and other details, so I assume it's finding the directives in
that block. I do have multiple vhosts, and I will see if I can put
those directives in a more general (higher) location.
I'm working on moving to openssl 1.0.1c and Apache 2.4.3, but I'm not
moving very fast.
Thanks for the reply, Eric.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd