Op 14 mei 2014, om 19:10 heeft Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com> het volgende geschreven:
> Which Apache version do you use? Below was with: Apache/2.4.9 OpenSSL 1.0.1e-freebsd but I reverted to that from a patched/hacked build from HEAD while investigating the issue. Does this ring a bell? Dw. > Von: Dirk-Willem van Gulik [mailto:di...@webweaving.org] > Gesendet: Mittwoch, 14. Mai 2014 11:23 > An: dev@httpd.apache.org > Betreff: Odd - SSLCipherSuite > > Now I must be getting rusty - we have in the config file > > SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA > SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3 > > with the first resolving nicely with > > openssl ciphers -ALL:ECDHE-RSA-AES256-SHA > > to just > > ECDHE-RSA-AES256-SHA > > So my assumption is that this server will insist on talking above - and = > nothing else. > > And on the wire - if I observer the Server Hello I see: > > Secure Sockets Layer > TLSv1.2 Record Layer: Handshake Protocol: Server Hello > ... > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = > (0xc030) > > which is sort of what i expect. > > However when I throw > > https://www.ssllabs.com/ssltest/analyze.html > > their analyzer at it - it seems to be quite able to convince the server = > to say hello=92s with > > SSLv3 Record Layer: Handshake Protocol: Server Hello > Content Type: Handshake (22) > Version: SSL 3.0 (0x0300) > ... > Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) > > or > > TLSv1.2 Record Layer: Handshake Protocol: Server Hello > ... > Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) > > And so on*. I must be missing something very obvious here! Am I > misunderstanding SSLCipherSuite or is there something specific about 1.2 > which makes certain things mandatory and not under control of SSLCipherSuite? > > Dw. > > > > > * besides Cipher Suite: = > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) > Server Hello=92s with > > Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) > Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) > Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) > Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) > Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) > Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) > Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) > Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) > Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) > Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) > Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) > Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) > Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) > Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007) > Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) > Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) > Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)