You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dirk-Willem van Gulik <di...@webweaving.org> on 2014/05/14 11:23:04 UTC
Odd - SSLCipherSuite
Now I must be getting rusty - we have in the config file
SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA
SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3
with the first resolving nicely with
openssl ciphers -ALL:ECDHE-RSA-AES256-SHA
to just
ECDHE-RSA-AES256-SHA
So my assumption is that this server will insist on talking above - and =
nothing else.
And on the wire - if I observer the Server Hello I see:
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =
(0xc030)
which is sort of what i expect.
However when I throw
https://www.ssllabs.com/ssltest/analyze.html
their analyzer at it - it seems to be quite able to convince the server =
to say hello=92s with
SSLv3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
...
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
or
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
...
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
And so on*. I must be missing something very obvious here! Am I misunderstanding SSLCipherSuite or is there something specific about 1.2 which makes certain things mandatory and not under control of SSLCipherSuite?
Dw.
* besides Cipher Suite: =
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Server Hello=92s with
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Re: Odd - SSLCipherSuite
Posted by Ruediger Pluem <rp...@apache.org>.
Dirk-Willem van Gulik wrote:
>
> Op 14 mei 2014, om 19:10 heeft Plüm, Rüdiger, Vodafone Group <ru...@vodafone.com> het volgende geschreven:
>
>> Which Apache version do you use?
>
> Below was with:
>
> Apache/2.4.9
> OpenSSL 1.0.1e-freebsd
>
> but I reverted to that from a patched/hacked build from HEAD while investigating the issue. Does this ring a bell?
I was thinking of the automatic prepending of Apache of !aNULL:!eNULL:!EXP: to your -ALL:ECDHE-RSA-AES256-SHA, but this
wasn't the issue. So currently no idea.
Regards
Rüdiger
Re: Odd - SSLCipherSuite
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
Op 14 mei 2014, om 19:10 heeft Plüm, Rüdiger, Vodafone Group <ru...@vodafone.com> het volgende geschreven:
> Which Apache version do you use?
Below was with:
Apache/2.4.9
OpenSSL 1.0.1e-freebsd
but I reverted to that from a patched/hacked build from HEAD while investigating the issue. Does this ring a bell?
Dw.
> Von: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org]
> Gesendet: Mittwoch, 14. Mai 2014 11:23
> An: dev@httpd.apache.org
> Betreff: Odd - SSLCipherSuite
>
> Now I must be getting rusty - we have in the config file
>
> SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA
> SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3
>
> with the first resolving nicely with
>
> openssl ciphers -ALL:ECDHE-RSA-AES256-SHA
>
> to just
>
> ECDHE-RSA-AES256-SHA
>
> So my assumption is that this server will insist on talking above - and =
> nothing else.
>
> And on the wire - if I observer the Server Hello I see:
>
> Secure Sockets Layer
> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
> ...
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =
> (0xc030)
>
> which is sort of what i expect.
>
> However when I throw
>
> https://www.ssllabs.com/ssltest/analyze.html
>
> their analyzer at it - it seems to be quite able to convince the server =
> to say hello=92s with
>
> SSLv3 Record Layer: Handshake Protocol: Server Hello
> Content Type: Handshake (22)
> Version: SSL 3.0 (0x0300)
> ...
> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
>
> or
>
> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
> ...
> Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
>
> And so on*. I must be missing something very obvious here! Am I misunderstanding SSLCipherSuite or is there something specific about 1.2 which makes certain things mandatory and not under control of SSLCipherSuite?
>
> Dw.
>
>
>
>
> * besides Cipher Suite: =
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
> Server Hello=92s with
>
> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
> Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
> Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
> Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
> Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
> Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
> Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
> Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
> Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
> Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
AW: Odd - SSLCipherSuite
Posted by Plüm,
Rüdiger,
Vodafone Group <ru...@vodafone.com>.
Which Apache version do you use?
Regards
Rüdiger
Von: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org]
Gesendet: Mittwoch, 14. Mai 2014 11:23
An: dev@httpd.apache.org
Betreff: Odd - SSLCipherSuite
Now I must be getting rusty - we have in the config file
SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA
SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3
with the first resolving nicely with
openssl ciphers -ALL:ECDHE-RSA-AES256-SHA
to just
ECDHE-RSA-AES256-SHA
So my assumption is that this server will insist on talking above - and =
nothing else.
And on the wire - if I observer the Server Hello I see:
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =
(0xc030)
which is sort of what i expect.
However when I throw
https://www.ssllabs.com/ssltest/analyze.html
their analyzer at it - it seems to be quite able to convince the server =
to say hello=92s with
SSLv3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
...
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
or
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
...
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
And so on*. I must be missing something very obvious here! Am I misunderstanding SSLCipherSuite or is there something specific about 1.2 which makes certain things mandatory and not under control of SSLCipherSuite?
Dw.
* besides Cipher Suite: =
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Server Hello=92s with
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Re: Odd - SSLCipherSuite
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
Op 19 mei 2014, om 15:04 heeft Dirk-Willem van Gulik <di...@webweaving.org> het volgende geschreven:
> Op 17 mei 2014, om 14:15 heeft Dr Stephen Henson <sh...@opensslfoundation.com> het volgende geschreven:
>> On 14/05/2014 10:23, Dirk-Willem van Gulik wrote:
>>> Now I must be getting rusty - we have in the config file
>>>
>>> SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA
>>> SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3
>>>
>>> with the first resolving nicely with
>>>
>>> openssl ciphers -ALL:ECDHE-RSA-AES256-SHA
>>>
>>> to just
>>>
>>> ECDHE-RSA-AES256-SHA
...
>>> So my assumption is that this server will insist on talking above - and =
>
>>> nothing else.
>>>
>>> And on the wire - if I observer the Server Hello I see:
>>>
>>> Secure Sockets Layer
>>> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
>>> ...
>>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =
>>> (0xc030)
>>>
>>> which is sort of what i expect.
…..
>>> However when I throw
>
>>>
>>> https://www.ssllabs.com/ssltest/analyze.html
>>>
>>> their analyzer at it - it seems to be quite able to convince the server =
>>> to say hello=92s with
>>>
>>> SSLv3 Record Layer: Handshake Protocol: Server Hello
>>> Content Type: Handshake (22)
>>> Version: SSL 3.0 (0x0300)
>>> ...
>>> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
….
>>
>> It looks like OpenSSL isn't receiving that cipher string properly or if it is
>> being overridden by something else possible elsewhere in the config file. You
>> can probe individual ciphersuites using s_client like this:
>>
>> openssl s_client -connect www.hostname.com:443 \
>> -cipher ECDHE-RSA-AES256-GCM-SHA384
>>
>> If it isn't supported the connection shouldn't complete.
>
> Right - yet it does - and matches the suites found by www.ssllabs.com as well. I’ll instrument OpenSSL a bit to see
> what it actually receives and thinks it is doing.
>
> Perhaps apache manages to confuse some context.
Ok - so OpenSSL is not at fault. It is in apache config land that we confuse contexts between
virtualhosts; the ___default__:443, the *:443 and the ‚base’ virtual hosts - and I think that this
is almost a ‚must’ as soon as SNI is active. And we cannot really solve it with -ALL or !ALL.
Will dig a bit deeper - but my guess is that the ‚best’ solution may well be a WARN flag if we
detect an ‚override’ on the same ssl context and/or an INFO flag that shows the per VHOST
actual result.
Will puzzle a bit,
Dw
Re: Odd - SSLCipherSuite
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
Op 17 mei 2014, om 14:15 heeft Dr Stephen Henson <sh...@opensslfoundation.com> het volgende geschreven:
> On 14/05/2014 10:23, Dirk-Willem van Gulik wrote:
>> Now I must be getting rusty - we have in the config file
>>
>> SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA
>> SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3
>>
>> with the first resolving nicely with
>>
>> openssl ciphers -ALL:ECDHE-RSA-AES256-SHA
>>
>> to just
>>
>> ECDHE-RSA-AES256-SHA
>>
>
> Unusual syntax though that should work. I'd normally just use the single
> ciphersuite name in the string:
>
> ECDHE-RSA-AES256-SHA
That still gives us the same results.
>
>> So my assumption is that this server will insist on talking above - and =
>> nothing else.
>>
>> And on the wire - if I observer the Server Hello I see:
>>
>> Secure Sockets Layer
>> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
>> ...
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =
>> (0xc030)
>>
>> which is sort of what i expect.
>>
>
> I wouldn't expect that as that isn't the single ciphersuite you've specified.
Ok.
>> However when I throw
>>
>> https://www.ssllabs.com/ssltest/analyze.html
>>
>> their analyzer at it - it seems to be quite able to convince the server =
>> to say hello=92s with
>>
>> SSLv3 Record Layer: Handshake Protocol: Server Hello
>> Content Type: Handshake (22)
>> Version: SSL 3.0 (0x0300)
>> ...
>> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
>>
>> or
>>
>> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
>> ...
>> Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
>>
>> And so on*. I must be missing something very obvious here! Am I
>> misunderstanding SSLCipherSuite or is there something specific about 1.2 which
>> makes certain things mandatory and not under control of SSLCipherSuite?
>>
>
> It looks like OpenSSL isn't receiving that cipher string properly or if it is
> being overridden by something else possible elsewhere in the config file. You
> can probe individual ciphersuites using s_client like this:
>
> openssl s_client -connect www.hostname.com:443 \
> -cipher ECDHE-RSA-AES256-GCM-SHA384
>
> If it isn't supported the connection shouldn't complete.
Right - yet it does - and matches the suites found by www.ssllabs.com as well. I’ll instrument OpenSSL a bit to see
what it actually receives and thinks it is doing.
Perhaps apache manages to confuse some context.
Dw.
Re: Odd - SSLCipherSuite
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 14/05/2014 10:23, Dirk-Willem van Gulik wrote:
> Now I must be getting rusty - we have in the config file
>
> SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA
> SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3
>
> with the first resolving nicely with
>
> openssl ciphers -ALL:ECDHE-RSA-AES256-SHA
>
> to just
>
> ECDHE-RSA-AES256-SHA
>
Unusual syntax though that should work. I'd normally just use the single
ciphersuite name in the string:
ECDHE-RSA-AES256-SHA
> So my assumption is that this server will insist on talking above - and =
> nothing else.
>
> And on the wire - if I observer the Server Hello I see:
>
> Secure Sockets Layer
> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
> ...
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =
> (0xc030)
>
> which is sort of what i expect.
>
I wouldn't expect that as that isn't the single ciphersuite you've specified.
> However when I throw
>
> https://www.ssllabs.com/ssltest/analyze.html
>
> their analyzer at it - it seems to be quite able to convince the server =
> to say hello=92s with
>
> SSLv3 Record Layer: Handshake Protocol: Server Hello
> Content Type: Handshake (22)
> Version: SSL 3.0 (0x0300)
> ...
> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
>
> or
>
> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
> ...
> Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
>
> And so on*. I must be missing something very obvious here! Am I
> misunderstanding SSLCipherSuite or is there something specific about 1.2 which
> makes certain things mandatory and not under control of SSLCipherSuite?
>
It looks like OpenSSL isn't receiving that cipher string properly or if it is
being overridden by something else possible elsewhere in the config file. You
can probe individual ciphersuites using s_client like this:
openssl s_client -connect www.hostname.com:443 \
-cipher ECDHE-RSA-AES256-GCM-SHA384
If it isn't supported the connection shouldn't complete.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com