You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gabriele Paggi <ga...@ordanomade.org> on 2010/11/23 22:10:28 UTC
[users@httpd] [mod_ssl] SSLCipherSuite ignored?
Hello,
This is my first mail here and I've been suggested to write here after
posting on alt.comp.apache.configuration.
I'm trying to limit the amount of ciphers used by mod_ssl and I'm running:
- Apache 2.2.3
- mod_ssl-2.2.3-22
- OpenSSL 0.9.8e-fips-rhel5
on RHEL 5.3.
My server-wide mod_ssl cipher suite configuration line is:
SSLCipherSuite ALL:!ADH:!EXP-DES-CBC-SHA:!EXP:!SSLv2:RC4+RSA:+HIGH:
+MEDIUM:!LOW
I don't have per-vhost mod_ssl configuration that could override it.
For this SSLCipherSuite list, the following ciphers should be
accepted:
[root@t]# openssl ciphers -v 'ALL:!ADH:!EXP-DES-CBC-SHA:!EXP:!
SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
Using sslscan (or manually trying each cipher by hand with the
openssl_client), I see indeed the following list:
[gpaggi@t32 ~]$ sslscan 10.x.xx.xx | grep -i acc
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
I've been struggling on this for a while, either trying to add only
the ciphers I would like to see (without using aliases like EXP) or,
the other way around, removing the unwanted.
Either way the accepted ciphers list I see via sslscan is always the
same.
What I would like to do is to get rid of the EXP-* ciphers and the
ones with a key < 128 bits.
I've tried to include !EXPORT40 and !EXPORT56 with the same results
reported by sslscan as the one shown above.
Any suggestion on how to accomplish this is more than welcome!
Thanks!
Gabriele Paggi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] [mod_ssl] SSLCipherSuite ignored?
Posted by Gabriele Paggi <ga...@ordanomade.org>.
Hello again,
Well...I feel a bit ashamed and I'll probably hide myself under the table
for a couple of hours :P
I just noticed, well hidden in a flood of comment a colleague of mine
added to the file, the <VirtualHost _default_:443> line.
That means I've been editing the default virtual host SSL configuration.
Moving the SSLCipherSuite directive to the right place solved the issue!
Gabriele Paggi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] [mod_ssl] SSLCipherSuite ignored?
Posted by Gabriele Paggi <ga...@ordanomade.org>.
Hello,
First of all, thank you for your reply!
> First off: try some HIGH settings, like:
> openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5'
Done:
[root@t conf.d]# grep -i 'sslciphersuite' ssl.conf
#SSLCipherSuite ALL:!ADH:!EXP-DES-CBC-SSLCipherSuite
RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5
[root@vm189 conf.d]#
> Does it change sslscan's output?
Unfortunately the output it's still the same:
[gpaggi@t32 ~]$ sslscan 10.x.xx.xx | grep -i acc
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
[gpaggi@t32 ~]$
> second: Are you restarting the server?
Yes of course.
AFAIK a graceful restart should be sufficient but, anyway, I'm doing my
tests following the configuration changes with a full restart.
I'm quite sure I'm missing something obvious, but I can't really figure
out what.
Gabriele Paggi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] [mod_ssl] SSLCipherSuite ignored?
Posted by Igor Galić <i....@brainsware.org>.
----- "Gabriele Paggi" <ga...@ordanomade.org> wrote:
> Hello,
>
> This is my first mail here and I've been suggested to write here after
>
> posting on alt.comp.apache.configuration.
>
> I'm trying to limit the amount of ciphers used by mod_ssl and I'm
> running:
> - Apache 2.2.3
> - mod_ssl-2.2.3-22
> - OpenSSL 0.9.8e-fips-rhel5
> on RHEL 5.3.
>
> My server-wide mod_ssl cipher suite configuration line is:
> SSLCipherSuite ALL:!ADH:!EXP-DES-CBC-SHA:!EXP:!SSLv2:RC4+RSA:+HIGH:
> +MEDIUM:!LOW
> I don't have per-vhost mod_ssl configuration that could override it.
>
> For this SSLCipherSuite list, the following ciphers should be
> accepted:
> [root@t]# openssl ciphers -v 'ALL:!ADH:!EXP-DES-CBC-SHA:!EXP:!
> SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW'
First off: try some HIGH settings, like:
openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:!ADH:!MD5'
Does it change sslscan's output?
second: Are you restarting the server?
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org