Bug 51958 - mod_ssl documentation is confusing re. SSLCipherSuite Directive
Summary: mod_ssl documentation is confusing re. SSLCipherSuite Directive
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 2.2-HEAD
Hardware: All All
: P2 minor (vote)
Target Milestone: ---
Assignee: HTTP Server Documentation List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2011-10-05 02:51 UTC by Andrew Daviel
Modified: 2012-04-11 11:30 UTC (History)
0 users



Attachments
proposed patch for very outdated SSLCipherSuite doc (2.51 KB, patch)
2012-04-10 21:11 UTC, Igor Galić
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Daviel 2011-10-05 02:51:20 UTC
In the Apache documentation
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
there is an example:

$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
...

Using this command on Linux, the NULL ciphers are suppressed so that NULL-SHA is not listed.


The page also states:

The default cipher-spec string is ``ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'' which means the following: first, remove from consideration any ciphers that do not authenticate, ... Next, use ciphers using RC4 and RSA. "

I interpret this to mean that ciphers using RC4 are first in the list. But in fact, these ciphers are already included in ALL, and are not first. The presence of RC4+RSA in the cipher string has no effect at all.


using openssl-0.9.8e on RHEL5.2
Comment 1 Igor Galić 2012-04-03 08:38:19 UTC
That particular part of the documentation is ca 10 years old. Might be time to update it.
Comment 2 Igor Galić 2012-04-10 20:46:18 UTC
I just realized that the discussion we had in #httpd-dev hasn't been transfered over here.

Let's see if I can remotely remember it:

The docs on this are 10 y/o. Back then, OpenSSL 0.9.6e was new and hot. Since then the behaviour of this output has changed, a lot.

We should replace the output with what a current version of OpenSSL provides, so as not to confuse people.
Comment 3 Igor Galić 2012-04-10 21:11:42 UTC
Created attachment 28572 [details]
proposed patch for very outdated SSLCipherSuite doc

use pquerna's CipherSuite as example. Explain what it does.
Comment 4 Igor Galić 2012-04-11 11:30:55 UTC
r1324707