``<code>ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which

``<code>RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5</code>'' which

means the following: first, remove from consideration any ciphers that do not

means the following: Put <code>RC4-SHA</code> and <code>AES128-SHA</code> at

authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next,

the beginning. We do this, because these ciphers offer a good compromise

use ciphers using RC4 and RSA. Next include the high, medium and then the low

between speed and security. Next, include high and medium security ciphers.

security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the

Finally, remove all ciphers which do not authenticate, i.e. for SSL the

end of the list.</p>

Anonymous Diffie-Hellman ciphers, as well as all ciphers which use

<code>MD5</code> as hash algorithm, because it has proven insecure by now.</p>

$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'

$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'

NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1

RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1

NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5

AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1

EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export

PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1

EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1