On October 28, 2010 17:30 , smu johnson <smujohn...@gmail.com> wrote:
Unfortunately, I cannot figure out a single way for apache2ctl to tell
me what ciphers apache is using. Not what it supports, but what it is
currently allowing when clients use https://.
You can configure httpd to log which ciphers that are actually being
used for each request, see:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats
The reason is I'm worried that it's allowing 40-bit encryption, and I
would like to see actual verification from Apache whether or not my
current setup is allowing it.
To see if 40-bit encryption is permitted, run the following from the
command line:
openssl s_client -connect your-web-server.example.com:443 -cipher LOW
If you get a line that looks like
140735078042748:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:658:
then 40-bit encryption is not supported and you are safe. If, however,
you get an SSL-Session section in the output, then the Cipher line will
indicate which cipher was actually negotiated and used in this test.
More information and additional tests and examples are available at
http://idlethreat.com/site/index.php/archives/181
http://stephenventer.blogspot.com/2006/07/openssl-cipher-strength.html
--
Mark Montague
m...@catseye.org
