On Tue, Aug 7, 2012 at 7:46 AM, Eric Covener <cove...@gmail.com> wrote: > On Tue, Aug 7, 2012 at 8:14 AM, Tom Browder <tom.brow...@gmail.com> wrote: >> I have been checking my Apache 2.2.14 server with this link: >> >> https://www.ssllabs.com/ssltest/index.html ... >> Cipher Suites (sorted by strength; server has no preference) > > I'm not sure how the tool can make that determination. SSLv3-and-later > allows the server to pick any cipher out of the intersection of what's > supported by both ends
According to the site's docs (a post by Ivan Ristic), they do this, quote: In the nutshell, here is what we do: 1. Send a list of cipher suites we wish to test (the list contains only the suites we know are supported) 2. If the server selects a suite that's not first on the list, we know it has a preference for it 3. If the server selects a sute that is first on the list, we put it at the end of the list and send the list again (if the server really has a preference for that suite, it will choose it even when the suite is at the bottom of the list. 4. We remove the selected suite from the list and repeat the process until we run out of suites End quote. >> I have the following in my server block: >> >> SSLProtocol all -SSLv2 >> SSLHonorCipherOrder On >> # disallow DH ciphers >> SSLCipherSuite HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH >> >> It looks like the "SSLHonorCipherOrder On" and "SSLCipherSuite" >> directives aren't working according to the test report. > > What does the following report on your system? > > openssl ciphers 'HIGH:RC4:+HIGH+TLSv1:!aNULL:!MD5:!DH:!EDH:!ADH' I get this response: RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA > Although I also now notice you disabled MD5 but the scan reported > rc4-md5. Are you sure it scanned your actual system and you're in the > right vhost? Well, as near as I know how to tell. The report does correctly report my host and other details, so I assume it's finding the directives in that block. I do have multiple vhosts, and I will see if I can put those directives in a more general (higher) location. I'm working on moving to openssl 1.0.1c and Apache 2.4.3, but I'm not moving very fast. Thanks for the reply, Eric. Best regards, -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
