Hello,
I have a setup where Apache 2.2.3 is serving a large SVN repository with
WebDAV over HTTPS (using basic authentication).
Everything is working correctly; I would simply like to force usage of
faster cipher algorithms (trading some security in favor of speed) than what
seems to be allowed right now (for instance, AES 256 is used when I connect
with Firefox).
My idea is that, by only allowing less secure but faster algorithms, all SVN
clients (command-line SVN or TortoiseSVN, for instance) will be forced to
use these faster algorithms, thus speeding up SVN operations.
I have played quite a bit with the SSLCipherSuite setting (at the virtual
host level), but I apparently cannot manage to force the client to specific
algorithms (RC4 for instance).
As an experiment, I have tried that (at the virtual host level):
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite ALL:!ADH:+RC4+RSA:!HIGH:!LOW:!EXP:!NULL
which, if I understand correctly, should force usage of RC4+RSA if
available, or other algorithms from the "medium" list:
$ openssl ciphers -v 'ALL:!ADH:+RC4+RSA:!HIGH:!LOW:!EXP:!NULL'
DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128)
Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128)
Mac=MD5
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128)
Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128)
Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128)
Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128)
Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128)
Mac=MD5
Yet, Firefox still seems to be able to negotiate using AES 256. I am
puzzled.
Am I using the SSLCipherSuite setting correctly? Is there a way (possibly
another way) to achieve this optimization?
For information, I am using Apache/2.2.3 and OpenSSL 0.9.8b 04 May 2006 on
CentOS release 5.2 (Final).
Here is the relevant part of the virtual host configuration:
<VirtualHost XXX.XXX.XXX.XXX:443>
ServerName svn.mydomain.net:443
ServerAdmin "XXX"
DocumentRoot /var/www/vhosts/mydomain.net/subdomains/svn/httpdocs
CustomLog /var/www/vhosts/
mydomain.net/statistics/logs/access_ssl_log plesklog
ErrorLog /var/www/vhosts/mydomain.net/statistics/logs/error_log
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/psa/var/certificates/certVl10777
<Directory /var/www/vhosts/mydomain.net/subdomains/svn/httpdocs>
...
</Directory>
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
<Location />
DAV svn
SVNPath /var/www/vhosts/mydomain.net/svn/svnrepository
AuthzSVNAccessFile /var/www/vhosts/
mydomain.net/svn/svn-acl-file
Require valid-user
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /var/www/vhosts/mydomain.net/svn/svn-auth-file
SSLRequireSSL
</Location>
</VirtualHost>
Cheers,
Franz
