Many thanks. On Thu, Oct 28, 2010 at 2:53 PM, Mark Montague <[email protected]> wrote:
> On October 28, 2010 17:30 , smu johnson <[email protected]> wrote: > > Unfortunately, I cannot figure out a single way for apache2ctl to tell me >> what ciphers apache is using. Not what it supports, but what it is >> currently allowing when clients use https://. >> > > You can configure httpd to log which ciphers that are actually being used > for each request, see: > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats > > > > The reason is I'm worried that it's allowing 40-bit encryption, and I >> would like to see actual verification from Apache whether or not my current >> setup is allowing it. >> > > To see if 40-bit encryption is permitted, run the following from the > command line: > > openssl s_client -connect your-web-server.example.com:443 -cipher LOW > > If you get a line that looks like > > 140735078042748:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:658: > > then 40-bit encryption is not supported and you are safe. If, however, you > get an SSL-Session section in the output, then the Cipher line will indicate > which cipher was actually negotiated and used in this test. > > More information and additional tests and examples are available at > > http://idlethreat.com/site/index.php/archives/181 > http://stephenventer.blogspot.com/2006/07/openssl-cipher-strength.html > > -- > Mark Montague > [email protected] > > -- smu johnson <[email protected]>
