On Wed, Dec 16, 2009 at 7:00 PM, Justin Pasher <just...@newmediagateway.com>wrote:
[snip] Here is the SSLCipherSuite directive that I use on my servers to lock out > insecure ciphers: > > SSLCipherSuite AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5 > > Try setting your config to this value. Obviously this is different than > what you are trying to accomplish, but right now the goal is to figure out > whether the SSLCipherSuite directive is actually being acknowledged. When > you run the openssl_check.sh script again, it should return the following > results: > > + AES256-SHA at Server public key is 1024 bit > + AES128-SHA at Server public key is 1024 bit > + DES-CBC3-SHA at Server public key is 1024 bit > + RC4-SHA at Server public key is 1024 bit > + RC4-MD5 at Server public key is 1024 bit > + RC4-MD5 at Server public key is 1024 bit > > If you see anything different, then the SSLCipherSuite is not being set > properly. Double check that you don't have multiple SSLCipherSuite > directives set across different files. Also make sure you are not > accidentally setting it within an unintentional container, such as > <Directory> or <VirtualHost>. I know that on CentOS, the default config file > that has the SSL directives actually contains the SSLCipherSuite directive > within a <VirtualHost> container. That threw me off recently when I was > trying to setup apache on a CentOS box for the first time. I'm still getting the same list, even if I use the SSLCipherSuite you suggested, so it's clearly not used. On my side (in my subdomain's configuration), I only have one SSLCipherSuite occurrence, inside the <VirtualHost> container I shown earlier in this thread (and it's not in a <Location> or <Directory> container). That being said, in /etc/httpd/conf.d/ssl.conf, there is another occurrence: <VirtualHost _default_:443> ... SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW ... </VirtualHost> Shouldn't my configuration file have precedence over that? Cheers, Franz