On 21.07.2010 12:59, Igor Galić wrote:
+SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL Reminds me a bit of: http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/ Can't we simplify that to: SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5 Since it's basically the same: i.ga...@panic ~/Projects/asf/httpd (svn)-[trunk:966169] % openssl ciphers 'RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5'|md5sum - c1977a5b8a9cea42329be929398c6941 - i.ga...@panic ~/Projects/asf/httpd (svn)-[trunk:966169] % openssl ciphers 'RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL' | md5sum - c1977a5b8a9cea42329be929398c6941 - OpenSSL experts might want to disagree with me at this point.
Not an openssl expert, but: depending on the build options and openssl version, e.g. IDEA-CBC-SHA is part of the longer cipher suite, but not part of yours (checked for 0.9.8o).
My feeling is, that the longer cipher suite on the one hands could allow more ciphers (ALL instead of HIGH) and adjusts that by being more explicit, which ciphers to disable. Seeems more understandable to me, especialy the "what's excluded" part.
More opinions welcome. Regards, Rainer
