Re: [users@httpd] SSL cipher suite modification
Hello Igor/Matus, Issue is resolved for now after adding the cipher that our client support. Resolution : They have given the list of ciphers that they support. I have tried using once of the cipher(DES-CBC-SHA) that they said they support. But with this they were unable to connect. Then I have used the follwoing command to get the protocol and cipher that they have used. /opt/csw/bin/openssl s_client -connect clinethostname:443 -debug Then it gave me the protocol that they have used. SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA I have added this protocol and cipher to my sslciphersuite. It has enabled them to connect to our webserver. I have suggested my clinets to upgrade their applications to support SSLv3 and higher protocols. Thanks a lot Igor, Your input has helped me a lot...:) On Thu, Dec 8, 2011 at 7:39 PM, Matus UHLAR - fantomas uh...@fantomas.skwrote: On 08.12.11 00:38, aparna Puram wrote: I understand from your mail that the following 2 cipher suites will work with the existing and the new clinet configurations. Kindly correct me if I m wrong. 1--!ADH:!EXPORT56:DES-CBC-**SHA:RC4+RSA:+HIGH:+MEDIUM:+** LOW:+SSLv2:+EXP:+eNULL 2--!ADH:!MD5:DES-CBC-SHA:RC4+**RSA:+HIGH:+MEDIUM However the first cipher suite contains MD5, which is not preferable due to security reasons. you disallow md5 due to security reasons, but allow null,export and low ciphers? :-) I use DEFAULT:!EXP:!LOW and I hope that's enough. you can excloude MD5 from those but I'd like to see your security reasons, due to paragraph above. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... --**--**- The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/**userslist.htmlhttp://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.orgusers-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscribe@**httpd.apache.orgusers-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL cipher suite modification
On 08.12.11 00:38, aparna Puram wrote: I understand from your mail that the following 2 cipher suites will work with the existing and the new clinet configurations. Kindly correct me if I m wrong. 1--!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 2--!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM However the first cipher suite contains MD5, which is not preferable due to security reasons. you disallow md5 due to security reasons, but allow null,export and low ciphers? :-) I use DEFAULT:!EXP:!LOW and I hope that's enough. you can excloude MD5 from those but I'd like to see your security reasons, due to paragraph above. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL cipher suite modification
- Original Message - Hello , Currently we are using the following ciphersuite in our httpd.conf file. SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL But our new client does not support the RC4+RSA cipher tag. They support DES-CBC-SHA tag. However, There are many other clinets using the RC4+RSA tag. So I would like to know, How to append the DES-CBC-SHA tag to the existing ciphersuite, Without changing the configuration. Please let me know the SSLCIpherSuite that is valid for both RC4+RSA and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by SSLv3. Kindly let me know if you need any further information. How about something like? SSLCipherSuite !ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLHonorCipherOrder on Although, frankly.. I'd probably not set +LOW or +SSLv2.. or anything below MEDIUM. Or containing MD5 :-S SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM SSLHonorCipherOrder on But it doesn't really matter, the result of adding !MD5 will result in a very limited set if DES-CBC-SHA and RC4+RSA is your lowest entry: igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM' DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA' DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 igalic@tynix ~ % Adding MD5 makes the situation worse, IMO. I think you need to fix this. This is a problem. i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL cipher suite modification
Hi Igor, Thanks a zillion. I understand from your mail that the following 2 cipher suites will work with the existing and the new clinet configurations. Kindly correct me if I m wrong. 1--!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 2--!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM However the first cipher suite contains MD5, which is not preferable due to security reasons. Hence we can use the second cipher, which is same as the first cipher(both the clients those who are using RC4+RSA and the DES-CBC-SHA will be able to have a successful ssl handshake), but this one is more secured compared to the first one. If we add the second cipher suite. does the configuration look as following ? : SSLProtocol +SSLv3 SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM SSLHonorCipherOrder on Please let me know if I m not clear. 2011/12/7 Igor Galić i.ga...@brainsware.org - Original Message - Hello , Currently we are using the following ciphersuite in our httpd.conf file. SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL But our new client does not support the RC4+RSA cipher tag. They support DES-CBC-SHA tag. However, There are many other clinets using the RC4+RSA tag. So I would like to know, How to append the DES-CBC-SHA tag to the existing ciphersuite, Without changing the configuration. Please let me know the SSLCIpherSuite that is valid for both RC4+RSA and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by SSLv3. Kindly let me know if you need any further information. How about something like? SSLCipherSuite !ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLHonorCipherOrder on Although, frankly.. I'd probably not set +LOW or +SSLv2.. or anything below MEDIUM. Or containing MD5 :-S SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM SSLHonorCipherOrder on But it doesn't really matter, the result of adding !MD5 will result in a very limited set if DES-CBC-SHA and RC4+RSA is your lowest entry: igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM' DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA' DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 igalic@tynix ~ % Adding MD5 makes the situation worse, IMO. I think you need to fix this. This is a problem. i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL cipher suite modification
- Original Message - Hi Igor, Thanks a zillion. I understand from your mail that the following 2 cipher suites will work with the existing and the new clinet configurations. Kindly correct me if I m wrong. 1--!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 2--!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM However the first cipher suite contains MD5, which is not preferable due to security reasons. Hence we can use the second cipher, which is same as the first cipher(both the clients those who are using RC4+RSA and the DES-CBC-SHA will be able to have a successful ssl handshake), but this one is more secured compared to the first one. If we add the second cipher suite. does the configuration look as following ? : SSLProtocol +SSLv3 SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM SSLHonorCipherOrder on igalic@tynix ~ % openssl ciphers -v ' !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM' DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 igalic@tynix ~ % SSLProtocol +SSLv3 is not very useful in this case, because SSLProtocol defaults to all, so, to all, you're adding SSLv3, but that's already contained in all, so it'll be ignored. One way or the other, the ciphersuite you're selecting will give you SSLv3 *only* anyway! AND it will limit you to exactly two ciphers. In effect, this: does the same: igalic@tynix ~ % openssl ciphers -v '!MD5:DES-CBC-SHA:RC4+RSA' DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 igalic@galic % Please let me know if I m not clear. My question is still: Why do you have to narrow your cipher suite down *so* much? - Is there a sane way to upgrade the clients such that they support modern, more secure, or just: *more* ciphers? i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL cipher suite modification
Hello Igor, Thanks a lot for excellent suggestion... We will raise this concern to our client. However, There are many third party servers that are connecting to our webserver, This will take time I guess. Hence we will try configuring the following for time being and check if the new client with DES-CBC-SHA is able to connect to our webserver. !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM I will again need your help, If the new client is unable to connect. THanks again... 2011/12/8 Igor Galić i.ga...@brainsware.org - Original Message - Hi Igor, Thanks a zillion. I understand from your mail that the following 2 cipher suites will work with the existing and the new clinet configurations. Kindly correct me if I m wrong. 1--!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 2--!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM However the first cipher suite contains MD5, which is not preferable due to security reasons. Hence we can use the second cipher, which is same as the first cipher(both the clients those who are using RC4+RSA and the DES-CBC-SHA will be able to have a successful ssl handshake), but this one is more secured compared to the first one. If we add the second cipher suite. does the configuration look as following ? : SSLProtocol +SSLv3 SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM SSLHonorCipherOrder on igalic@tynix ~ % openssl ciphers -v ' !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM' DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 igalic@tynix ~ % SSLProtocol +SSLv3 is not very useful in this case, because SSLProtocol defaults to all, so, to all, you're adding SSLv3, but that's already contained in all, so it'll be ignored. One way or the other, the ciphersuite you're selecting will give you SSLv3 *only* anyway! AND it will limit you to exactly two ciphers. In effect, this: does the same: igalic@tynix ~ % openssl ciphers -v '!MD5:DES-CBC-SHA:RC4+RSA' DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 igalic@galic % Please let me know if I m not clear. My question is still: Why do you have to narrow your cipher suite down *so* much? - Is there a sane way to upgrade the clients such that they support modern, more secure, or just: *more* ciphers? i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] SSL cipher suite modification
Hello , Currently we are using the following ciphersuite in our httpd.conf file. SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL But our new client does not support the RC4+RSA cipher tag. They support DES-CBC-SHA tag. However, There are many other clinets using the RC4+RSA tag. So I would like to know, How to append the DES-CBC-SHA tag to the existing ciphersuite, Without changing the configuration. Please let me know the SSLCIpherSuite that is valid for both RC4+RSA and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by SSLv3. Kindly let me know if you need any further information.