On Wed, Dec 16, 2009 at 7:00 PM, Justin Pasher
<just...@newmediagateway.com>wrote:
[snip]
Here is the SSLCipherSuite directive that I use on my servers to lock out
> insecure ciphers:
>
> SSLCipherSuite AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5
>
> Try setting your config to this value. Obviously this is different than
> what you are trying to accomplish, but right now the goal is to figure out
> whether the SSLCipherSuite directive is actually being acknowledged. When
> you run the openssl_check.sh script again, it should return the following
> results:
>
> + AES256-SHA at Server public key is 1024 bit
> + AES128-SHA at Server public key is 1024 bit
> + DES-CBC3-SHA at Server public key is 1024 bit
> + RC4-SHA at Server public key is 1024 bit
> + RC4-MD5 at Server public key is 1024 bit
> + RC4-MD5 at Server public key is 1024 bit
>
> If you see anything different, then the SSLCipherSuite is not being set
> properly. Double check that you don't have multiple SSLCipherSuite
> directives set across different files. Also make sure you are not
> accidentally setting it within an unintentional container, such as
> <Directory> or <VirtualHost>. I know that on CentOS, the default config file
> that has the SSL directives actually contains the SSLCipherSuite directive
> within a <VirtualHost> container. That threw me off recently when I was
> trying to setup apache on a CentOS box for the first time.
I'm still getting the same list, even if I use the SSLCipherSuite you
suggested, so it's clearly not used.
On my side (in my subdomain's configuration), I only have one
SSLCipherSuite occurrence, inside the <VirtualHost> container I shown
earlier in this thread (and it's not in a <Location> or <Directory>
container).
That being said, in /etc/httpd/conf.d/ssl.conf, there is another occurrence:
<VirtualHost _default_:443>
...
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
...
</VirtualHost>
Shouldn't my configuration file have precedence over that?
Cheers,
Franz
