Hello, I have a setup where Apache 2.2.3 is serving a large SVN repository with WebDAV over HTTPS (using basic authentication).
Everything is working correctly; I would simply like to force usage of faster cipher algorithms (trading some security in favor of speed) than what seems to be allowed right now (for instance, AES 256 is used when I connect with Firefox). My idea is that, by only allowing less secure but faster algorithms, all SVN clients (command-line SVN or TortoiseSVN, for instance) will be forced to use these faster algorithms, thus speeding up SVN operations. I have played quite a bit with the SSLCipherSuite setting (at the virtual host level), but I apparently cannot manage to force the client to specific algorithms (RC4 for instance). As an experiment, I have tried that (at the virtual host level): SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCipherSuite ALL:!ADH:+RC4+RSA:!HIGH:!LOW:!EXP:!NULL which, if I understand correctly, should force usage of RC4+RSA if available, or other algorithms from the "medium" list: $ openssl ciphers -v 'ALL:!ADH:+RC4+RSA:!HIGH:!LOW:!EXP:!NULL' DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 Yet, Firefox still seems to be able to negotiate using AES 256. I am puzzled. Am I using the SSLCipherSuite setting correctly? Is there a way (possibly another way) to achieve this optimization? For information, I am using Apache/2.2.3 and OpenSSL 0.9.8b 04 May 2006 on CentOS release 5.2 (Final). Here is the relevant part of the virtual host configuration: <VirtualHost XXX.XXX.XXX.XXX:443> ServerName svn.mydomain.net:443 ServerAdmin "XXX" DocumentRoot /var/www/vhosts/mydomain.net/subdomains/svn/httpdocs CustomLog /var/www/vhosts/ mydomain.net/statistics/logs/access_ssl_log plesklog ErrorLog /var/www/vhosts/mydomain.net/statistics/logs/error_log SSLEngine on SSLVerifyClient none SSLCertificateFile /usr/local/psa/var/certificates/certVl10777 <Directory /var/www/vhosts/mydomain.net/subdomains/svn/httpdocs> ... </Directory> SSLProtocol all -SSLv2 SSLHonorCipherOrder on <Location /> DAV svn SVNPath /var/www/vhosts/mydomain.net/svn/svnrepository AuthzSVNAccessFile /var/www/vhosts/ mydomain.net/svn/svn-acl-file Require valid-user AuthType Basic AuthName "Subversion Repository" AuthUserFile /var/www/vhosts/mydomain.net/svn/svn-auth-file SSLRequireSSL </Location> </VirtualHost> Cheers, Franz