ASF Bugzilla – Attachment 28572 Details for
Bug 51958
mod_ssl documentation is confusing re. SSLCipherSuite Directive
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch for very outdated SSLCipherSuite doc
ciphersuite_propsed.patch (text/plain), 2.51 KB, created by
Mina Galić
on 2012-04-10 21:11:42 UTC
(
hide
)
Description:
proposed patch for very outdated SSLCipherSuite doc
Filename:
MIME Type:
Creator:
Mina Galić
Created:
2012-04-10 21:11:42 UTC
Size:
2.51 KB
patch
obsolete
>Index: mod/mod_ssl.xml >=================================================================== >--- mod/mod_ssl.xml (revision 1311981) >+++ mod/mod_ssl.xml (working copy) >@@ -717,22 +717,23 @@ > -v</code>'' command which provides a nice way to successively create the > correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string > depends on the version of the OpenSSL libraries used. Let's suppose it is >-``<code>ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which >-means the following: first, remove from consideration any ciphers that do not >-authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next, >-use ciphers using RC4 and RSA. Next include the high, medium and then the low >-security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the >-end of the list.</p> >+``<code>RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5</code>'' which >+means the following: Put <code>RC4-SHA</code> and <code>AES128-SHA</code> at >+the beginning. We do this, because these ciphers offer a good compromise >+between speed and security. Next, include high and medium security ciphers. >+Finally, remove all ciphers which do not authenticate, i.e. for SSL the >+Anonymous Diffie-Hellman ciphers, as well as all ciphers which use >+<code>MD5</code> as hash algorithm, because it has proven insecure by now.</p> > <example> > <pre> >-$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP' >-NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 >-NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 >-EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 >+$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5' >+RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 >+AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 >+DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 > ... ... ... ... ... >-EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export >-EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export >-EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export >+SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 >+PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 >+KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 > </pre> > </example> > <p>The complete list of particular RSA & DH ciphers for SSL is given in <a
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=28572">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 51958
: 28572