You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Brian Mearns <bm...@ieee.org> on 2009/08/20 21:16:53 UTC
[users@httpd] Is it okay to not use exportable ciphers?
For the sake of security, I'd like to configure my SSL/TLS server to
not allow export level ciphers (using the SSLCipherSuite directive).
Is this going to realistically limit the number of people who can use
a secure connection to my site? Specifically, will visitors from other
countries (outside the US) be able to support the stronger
(non-exportable) ciphers?
Thanks,
-Brian
--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] how to purge/invalidate a site (including all its
objects) or simply just an object from mod_cache
Posted by Jerome Yanga <jy...@esri.com>.
Hi everyone!
I found the thread below.
http://httpd.markmail.org/message/b3iz6vhy3h7a3oox?q=purge+invalidate
Is this the best way to purge/invalidate a site (including all its objects and succeeding URLs) or simply just an object from mod_cache? If so, how do I use the patch? Otherwise, can you point me to the right direction?
Thank you in advance.
Regards,
jyanga
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it okay to not use exportable ciphers?
Posted by Crypto Sal <cr...@gmail.com>.
On 08/20/2009 03:40 PM, Brian Mearns wrote:
> On Thu, Aug 20, 2009 at 3:24 PM, Sander Temme<sc...@apache.org> wrote:
>
>> On Aug 20, 2009, at 3:16 PM, Brian Mearns wrote:
>>
>>
>>> For the sake of security, I'd like to configure my SSL/TLS server to
>>> not allow export level ciphers (using the SSLCipherSuite directive).
>>> Is this going to realistically limit the number of people who can use
>>> a secure connection to my site? Specifically, will visitors from other
>>> countries (outside the US) be able to support the stronger
>>> (non-exportable) ciphers?
>>>
>>
>> You can configure a logfile to record what ciphers your users are currently
>> using, and draw conclusions from that.
>>
>> S.
>>
> [clip]
>
> Good idea, but I'm not currently getting many users. I'm thinking in
> the long term, I don't want to lock out potential visitors just
> because they're using weak crypto.
>
> -Brian
>
>
Brian,
Have you considered using Apache's "SGC"? There's a nice little blurb
about it in the Apache Docs.[
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#upgradeenc ]
"How can I create an SSL server which accepts strong encryption only,
but allows export browsers to upgrade to stronger encryption?"
--Sal
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it okay to not use exportable ciphers?
Posted by Brian Mearns <me...@gmail.com>.
On Thu, Aug 20, 2009 at 3:24 PM, Sander Temme<sc...@apache.org> wrote:
>
> On Aug 20, 2009, at 3:16 PM, Brian Mearns wrote:
>
>> For the sake of security, I'd like to configure my SSL/TLS server to
>> not allow export level ciphers (using the SSLCipherSuite directive).
>> Is this going to realistically limit the number of people who can use
>> a secure connection to my site? Specifically, will visitors from other
>> countries (outside the US) be able to support the stronger
>> (non-exportable) ciphers?
>
>
> You can configure a logfile to record what ciphers your users are currently
> using, and draw conclusions from that.
>
> S.
[clip]
Good idea, but I'm not currently getting many users. I'm thinking in
the long term, I don't want to lock out potential visitors just
because they're using weak crypto.
-Brian
--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it okay to not use exportable ciphers?
Posted by Sander Temme <sc...@apache.org>.
On Aug 20, 2009, at 3:16 PM, Brian Mearns wrote:
> For the sake of security, I'd like to configure my SSL/TLS server to
> not allow export level ciphers (using the SSLCipherSuite directive).
> Is this going to realistically limit the number of people who can use
> a secure connection to my site? Specifically, will visitors from other
> countries (outside the US) be able to support the stronger
> (non-exportable) ciphers?
You can configure a logfile to record what ciphers your users are
currently using, and draw conclusions from that.
S.
--
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Re: [users@httpd] Is it okay to not use exportable ciphers?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 20.08.09 15:16, Brian Mearns wrote:
> For the sake of security, I'd like to configure my SSL/TLS server to
> not allow export level ciphers (using the SSLCipherSuite directive).
> Is this going to realistically limit the number of people who can use
> a secure connection to my site? Specifically, will visitors from other
> countries (outside the US) be able to support the stronger
> (non-exportable) ciphers?
I did not have received and problem reports with setting:
SSLCipherSuite DEFAULT:!EXP:!LOW
for some time.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org