You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by sunhux G <su...@gmail.com> on 2011/06/16 17:02:30 UTC
[users@httpd] Syntax to replace Diffie-Hellman with RSA encryption
Hi
Further to the post, what's the correct syntax to replace DH
with RSA encryption?
Choose which of the options below are correct:
1) SSLCipherSuite ALL:!ADH:RC4+RSA:HIGH:MEDIUM:
!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
2) SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:
!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
3) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM:
!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
4) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM:
!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
5) SSLCipherSuite !ADH:RC4+RSA:
!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
What does ALL represent?
Thanks
On Sun, May 29, 2011 at 10:48 PM, sunhux G <su...@gmail.com> wrote:
> I'm newbie to encryption & beginner to Apache.
>
>
> Length: 81
> Handshake Protocol: Server Hello
> Handshake Type: Server Hello (2)
> Length: 77
> Version: TLS 1.0 (0x0301)
> Random
> gmt_unix_time: May 23, 2011 11:01:51.0000000000
> random_bytes: C0C48BA2.....
> Session ID Length: 32
> Session ID: 53283989...
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0X0039) <==
>
> Above is an extract of a data traffic sniffed using a product which
> I'm evaluating.
>
> I have a requirement to use a sniffing product (which I connect to our
> internal LAN) to capture users access to our website portal to check
> which pages the user access & the time a user login / logout & SSL
> https encryption is involved. However, to do this, I'll need to do
> decryption.
>
> My Apache web servers appear to be configured to use "Diffie-Hellman" key
> exchange. This can be verified by looking at the Server Hello packets and
> viewing the Cipher Suite (as shown in above traffic capture). "DHE" means
> Diffie-Hellman key exchange.
>
> I suppose this means the shared private key from the web server is not used.
> In Diffie-Hellman key exchange, the private key for each session is created
> dynamically between the client and server, and is therefore technically
> impossible to decrypt : correct me if I'm wrong. Refer to links / urls below
> on why DH key exchange makes SSL decryption impossible:
> - http://www.unleashnetworks.com/blog/?p=28
> - http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/
>
> In my Apache config file, there's a line below:
> SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
>
>
> Question:
> Which alternative cipher provides the same encryption/key strength -
> just doesn't use Diffie-Hellman for key exchange?
>
> How should I amend my Apache config file so that it replaces Diffie-Hellman
> with this new encryption? Pls provide as precise the instruction as possible
> & whether I need to do "service httpd restart" or "service httpd reload"?
>
> Any alternative proposed should not flag out as vulnerability during a
> vulnerability scan.
>
>
> Then I would be able to use the promiscuous mode sniffing device to see a
> user logins & the slow pages that he accessed etc
>
>
> Thanks
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Syntax to replace Diffie-Hellman with RSA encryption
Posted by Rainer Frey <ra...@inxmail.de>.
On 19.06.2011, at 23:00, DW wrote:
> sunhux G wrote:
>> After making changes to httpd.conf, can I just issue
>>
>> 1) "kill -HUP httpd_instance_pid" for the change to take effect or
>> 2) "service httpd reload" or
>> 3) "service httpd restart"
>>
>> Select one or more of the above correct options
>
> Before you make any changes to the configuration file, you must stop the
> apache service otherwise you won't be able to save your changes.
Wrong. The OP is obviously on some unix-like platform (Linux most likely), and there is no locking on the config file. Edit, and then a graceful restart should be sufficient AFAIK. Most distribution do that with the "reload" argument of the init script.
Rainer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Syntax to replace Diffie-Hellman with RSA encryption
Posted by DW <xf...@hotmail.com>.
Before you make any changes to the configuration file, you must stop the
apache service otherwise you won't be able to save your changes.
Then when the changes are made and the file is saved, you need to start
the apache service for all changes to take effect.
Hope this helps.
sunhux G wrote:
> After making changes to httpd.conf, can I just issue
>
> 1) "kill -HUP httpd_instance_pid" for the change to take effect or
> 2) "service httpd reload" or
> 3) "service httpd restart"
>
> Select one or more of the above correct options
>
>
> Thanks
> Sun
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Syntax to replace Diffie-Hellman with RSA encryption
Posted by sunhux G <su...@gmail.com>.
After making changes to httpd.conf, can I just issue
1) "kill -HUP httpd_instance_pid" for the change to take effect or
2) "service httpd reload" or
3) "service httpd restart"
Select one or more of the above correct options
Thanks
Sun
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Syntax to replace Diffie-Hellman with RSA encryption
Posted by sunhux G <su...@gmail.com>.
Thanks.
I'll verify on Mon using the tool Zeek suggested or openssl:
openssl s_client -cipher '!DH:!ADH:RC4+RSA:HIGH:MEDIUM:
!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM'
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Syntax to replace Diffie-Hellman with RSA
encryption
Posted by zeek <ze...@mogwai.ath.cx>.
ALL means include all ciphers. You'd then omit with !
To replace DH w/RSA I think you could do !ADH:+RSA
I recommend using the SSL utility at http://serversniff.net to confirm
On Thu, Jun 16, 2011 at 11:02:30PM +0800, sunhux G wrote:
> Hi
>
> Further to the post, what's the correct syntax to replace DH
> with RSA encryption?
>
> Choose which of the options below are correct:
> 1) SSLCipherSuite ALL:!ADH:RC4+RSA:HIGH:MEDIUM:
> !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
> 2) SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:
> !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
> 3) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM:
> !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
> 4) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM:
> !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
> 5) SSLCipherSuite !ADH:RC4+RSA:
> !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
>
> What does ALL represent?
>
> Thanks
>
> On Sun, May 29, 2011 at 10:48 PM, sunhux G <su...@gmail.com> wrote:
> > I'm newbie to encryption & beginner to Apache.
> >
> >
> > Length: 81
> > Handshake Protocol: Server Hello
> > Handshake Type: Server Hello (2)
> > Length: 77
> > Version: TLS 1.0 (0x0301)
> > Random
> > gmt_unix_time: May 23, 2011 11:01:51.0000000000
> > random_bytes: C0C48BA2.....
> > Session ID Length: 32
> > Session ID: 53283989...
> > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0X0039) <==
> >
> > Above is an extract of a data traffic sniffed using a product which
> > I'm evaluating.
> >
> > I have a requirement to use a sniffing product (which I connect to our
> > internal LAN) to capture users access to our website portal to check
> > which pages the user access & the time a user login / logout & SSL
> > https encryption is involved. However, to do this, I'll need to do
> > decryption.
> >
> > My Apache web servers appear to be configured to use "Diffie-Hellman" key
> > exchange. This can be verified by looking at the Server Hello packets and
> > viewing the Cipher Suite (as shown in above traffic capture). "DHE" means
> > Diffie-Hellman key exchange.
> >
> > I suppose this means the shared private key from the web server is not used.
> > In Diffie-Hellman key exchange, the private key for each session is created
> > dynamically between the client and server, and is therefore technically
> > impossible to decrypt : correct me if I'm wrong. Refer to links / urls below
> > on why DH key exchange makes SSL decryption impossible:
> > - http://www.unleashnetworks.com/blog/?p=28
> > - http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/
> >
> > In my Apache config file, there's a line below:
> > SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
> >
> >
> > Question:
> > Which alternative cipher provides the same encryption/key strength -
> > just doesn't use Diffie-Hellman for key exchange?
> >
> > How should I amend my Apache config file so that it replaces Diffie-Hellman
> > with this new encryption? Pls provide as precise the instruction as possible
> > & whether I need to do "service httpd restart" or "service httpd reload"?
> >
> > Any alternative proposed should not flag out as vulnerability during a
> > vulnerability scan.
> >
> >
> > Then I would be able to use the promiscuous mode sniffing device to see a
> > user logins & the slow pages that he accessed etc
> >
> >
> > Thanks
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org