On 10/28/2010 4:42 PM, Eric Covener wrote: > On Thu, Oct 28, 2010 at 5:30 PM, smu johnson <smujohn...@gmail.com> wrote: > >> I managed to get OpenSSL 0.9.8g and Apache/2.2.12 working together, but I >> never defined what cipher rules I want to allow. >> Unfortunately, I cannot figure out a single way for apache2ctl to tell me >> what ciphers apache is using. > > The default SSLCipherSuite is in the manual > >> Not what it supports, but what it is >> currently allowing when clients use https://. > > The manual recommends testing your SSLCipherSuite with the openssl > command line utility. > > You could open an enhancement bugzilla entry to allow a config test or > trace method to make the openssl calls to provide this info.
A debug emit at startup would be appropriate... had come across this in the context of FIPS... when giving a cipher list with non-FIPS ciphers, those are silently ignored (as are all unrecgonized cipher patterns). A debug startup message after we set the cipher suite which retrieves the effective cipher list would be most helpful to admins in troubleshooting the typos in their list.