Re: Cipher suite used in default Apache
Not that I have much say in the matter, being new here and all, but I definitely like the idea. I also had another one. How opposed would anyone be, if apache2ctl fullstatus gave a bit more of this relevant cipher info that I originally inquired about? Seems like a good place to stick it, since it wouldn't require one to connect to oneself to see Apache2 / mod_ssl's status data. Somewhere near SSL/TLS Session Cache Status: seems like a good place. On Thu, Oct 28, 2010 at 10:53 PM, William A. Rowe Jr. wr...@rowe-clan.netwrote: The manual recommends testing your SSLCipherSuite with the openssl command line utility. You could open an enhancement bugzilla entry to allow a config test or trace method to make the openssl calls to provide this info. A debug emit at startup would be appropriate... had come across this in the context of FIPS... when giving a cipher list with non-FIPS ciphers, those are silently ignored (as are all unrecgonized cipher patterns). A debug startup message after we set the cipher suite which retrieves the effective cipher list would be most helpful to admins in troubleshooting the typos in their list. -- smu johnson smujohn...@gmail.com
Cipher suite used in default Apache
Hi, This is my first post. How's it going? I managed to get OpenSSL 0.9.8g and Apache/2.2.12 working together, but I never defined what cipher rules I want to allow. Unfortunately, I cannot figure out a single way for apache2ctl to tell me what ciphers apache is using. Not what it supports, but what it is currently allowing when clients use https://. It sounds a bit like a user question, but if it is not implemented, I wanted to toss the idea around with a few devs here. The reason is I'm worried that it's allowing 40-bit encryption, and I would like to see actual verification from Apache whether or not my current setup is allowing it. Later, I will want to disable AES 128-bits, once I get an idea of which ciphers it's hosting. (See http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html for more info) Another problem I found (I'm not whining or cracking a whip), is that the apache2 docs don't even mention AES in them, which makes me think that the allowable CipherSuite stuff documented is about 10 years out of date. Does anyone have any advice for me? Thank you. -- smu johnson smujohn...@gmail.com
Re: Cipher suite used in default Apache
On Thu, Oct 28, 2010 at 5:30 PM, smu johnson smujohn...@gmail.com wrote: I managed to get OpenSSL 0.9.8g and Apache/2.2.12 working together, but I never defined what cipher rules I want to allow. Unfortunately, I cannot figure out a single way for apache2ctl to tell me what ciphers apache is using. The default SSLCipherSuite is in the manual Not what it supports, but what it is currently allowing when clients use https://. The manual recommends testing your SSLCipherSuite with the openssl command line utility. You could open an enhancement bugzilla entry to allow a config test or trace method to make the openssl calls to provide this info. Another problem I found (I'm not whining or cracking a whip), is that the apache2 docs don't even mention AES in them, which makes me think that the allowable CipherSuite stuff documented is about 10 years out of date. I'm surprised it bothers to mention the rest instead of deferring to openssl, but this would be a reasonable docs bug (to list it alongside DES/RC4/etc) -- Eric Covener cove...@gmail.com
Re: Cipher suite used in default Apache
On October 28, 2010 17:30 , smu johnson smujohn...@gmail.com wrote: Unfortunately, I cannot figure out a single way for apache2ctl to tell me what ciphers apache is using. Not what it supports, but what it is currently allowing when clients use https://. You can configure httpd to log which ciphers that are actually being used for each request, see: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats The reason is I'm worried that it's allowing 40-bit encryption, and I would like to see actual verification from Apache whether or not my current setup is allowing it. To see if 40-bit encryption is permitted, run the following from the command line: openssl s_client -connect your-web-server.example.com:443 -cipher LOW If you get a line that looks like 140735078042748:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658: then 40-bit encryption is not supported and you are safe. If, however, you get an SSL-Session section in the output, then the Cipher line will indicate which cipher was actually negotiated and used in this test. More information and additional tests and examples are available at http://idlethreat.com/site/index.php/archives/181 http://stephenventer.blogspot.com/2006/07/openssl-cipher-strength.html -- Mark Montague m...@catseye.org
Re: Cipher suite used in default Apache
Many thanks. On Thu, Oct 28, 2010 at 2:53 PM, Mark Montague m...@catseye.org wrote: On October 28, 2010 17:30 , smu johnson smujohn...@gmail.com wrote: Unfortunately, I cannot figure out a single way for apache2ctl to tell me what ciphers apache is using. Not what it supports, but what it is currently allowing when clients use https://. You can configure httpd to log which ciphers that are actually being used for each request, see: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats The reason is I'm worried that it's allowing 40-bit encryption, and I would like to see actual verification from Apache whether or not my current setup is allowing it. To see if 40-bit encryption is permitted, run the following from the command line: openssl s_client -connect your-web-server.example.com:443 -cipher LOW If you get a line that looks like 140735078042748:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658: then 40-bit encryption is not supported and you are safe. If, however, you get an SSL-Session section in the output, then the Cipher line will indicate which cipher was actually negotiated and used in this test. More information and additional tests and examples are available at http://idlethreat.com/site/index.php/archives/181 http://stephenventer.blogspot.com/2006/07/openssl-cipher-strength.html -- Mark Montague m...@catseye.org -- smu johnson smujohn...@gmail.com
Re: Cipher suite used in default Apache
On 10/28/2010 4:42 PM, Eric Covener wrote: On Thu, Oct 28, 2010 at 5:30 PM, smu johnson smujohn...@gmail.com wrote: I managed to get OpenSSL 0.9.8g and Apache/2.2.12 working together, but I never defined what cipher rules I want to allow. Unfortunately, I cannot figure out a single way for apache2ctl to tell me what ciphers apache is using. The default SSLCipherSuite is in the manual Not what it supports, but what it is currently allowing when clients use https://. The manual recommends testing your SSLCipherSuite with the openssl command line utility. You could open an enhancement bugzilla entry to allow a config test or trace method to make the openssl calls to provide this info. A debug emit at startup would be appropriate... had come across this in the context of FIPS... when giving a cipher list with non-FIPS ciphers, those are silently ignored (as are all unrecgonized cipher patterns). A debug startup message after we set the cipher suite which retrieves the effective cipher list would be most helpful to admins in troubleshooting the typos in their list.
