Lines 717-738
Link Here
|
717 |
-v</code>'' command which provides a nice way to successively create the |
717 |
-v</code>'' command which provides a nice way to successively create the |
718 |
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string |
718 |
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string |
719 |
depends on the version of the OpenSSL libraries used. Let's suppose it is |
719 |
depends on the version of the OpenSSL libraries used. Let's suppose it is |
720 |
``<code>ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which |
720 |
``<code>RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5</code>'' which |
721 |
means the following: first, remove from consideration any ciphers that do not |
721 |
means the following: Put <code>RC4-SHA</code> and <code>AES128-SHA</code> at |
722 |
authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next, |
722 |
the beginning. We do this, because these ciphers offer a good compromise |
723 |
use ciphers using RC4 and RSA. Next include the high, medium and then the low |
723 |
between speed and security. Next, include high and medium security ciphers. |
724 |
security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the |
724 |
Finally, remove all ciphers which do not authenticate, i.e. for SSL the |
725 |
end of the list.</p> |
725 |
Anonymous Diffie-Hellman ciphers, as well as all ciphers which use |
|
|
726 |
<code>MD5</code> as hash algorithm, because it has proven insecure by now.</p> |
726 |
<example> |
727 |
<example> |
727 |
<pre> |
728 |
<pre> |
728 |
$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP' |
729 |
$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5' |
729 |
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 |
730 |
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 |
730 |
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 |
731 |
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 |
731 |
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 |
732 |
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 |
732 |
... ... ... ... ... |
733 |
... ... ... ... ... |
733 |
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export |
734 |
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 |
734 |
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export |
735 |
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 |
735 |
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export |
736 |
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 |
736 |
</pre> |
737 |
</pre> |
737 |
</example> |
738 |
</example> |
738 |
<p>The complete list of particular RSA & DH ciphers for SSL is given in <a |
739 |
<p>The complete list of particular RSA & DH ciphers for SSL is given in <a |