You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by sunhux G <su...@gmail.com> on 2011/05/29 16:48:25 UTC
[users@httpd] Alternative for Apache webserver Diffie-Hellman encryption to permit
SSL decryption
I'm newbie to encryption & beginner to Apache.
Length: 81
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 77
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: May 23, 2011 11:01:51.0000000000
random_bytes: C0C48BA2.....
Session ID Length: 32
Session ID: 53283989...
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0X0039) <==
Above is an extract of a data traffic sniffed using a product which
I'm evaluating.
I have a requirement to use a sniffing product (which I connect to our
internal LAN) to capture users access to our website portal to check
which pages the user access & the time a user login / logout & SSL
https encryption is involved. However, to do this, I'll need to do
decryption.
My Apache web servers appear to be configured to use "Diffie-Hellman" key
exchange. This can be verified by looking at the Server Hello packets and
viewing the Cipher Suite (as shown in above traffic capture). "DHE" means
Diffie-Hellman key exchange.
I suppose this means the shared private key from the web server is not used.
In Diffie-Hellman key exchange, the private key for each session is created
dynamically between the client and server, and is therefore technically
impossible to decrypt : correct me if I'm wrong. Refer to links / urls below
on why DH key exchange makes SSL decryption impossible:
- http://www.unleashnetworks.com/blog/?p=28
- http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/
In my Apache config file, there's a line below:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
Question:
Which alternative cipher provides the same encryption/key strength -
just doesn't use Diffie-Hellman for key exchange?
How should I amend my Apache config file so that it replaces Diffie-Hellman
with this new encryption? Pls provide as precise the instruction as possible
& whether I need to do "service httpd restart" or "service httpd reload"?
Any alternative proposed should not flag out as vulnerability during a
vulnerability scan.
Then I would be able to use the promiscuous mode sniffing device to see a
user logins & the slow pages that he accessed etc
Thanks
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Alternative for Apache webserver Diffie-Hellman encryption to
permit SSL decryption
Posted by sunhux G <su...@gmail.com>.
Note that in my current Apache config file, there's a line below which does not
mention anything on Diffie-Hellman, so my guess is Apache must have selected
/enabled DH by default. How can I explicitly turn it off?
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
I'm thinking of using TLS_RSA_WITH_AES_256_CBC_SHA
encryption. Kindly advise what's the syntax to put into the
Apache .conf file.
Any security consequence or network performance impact
from using this new encryption?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org