How can I verify the ciphers enabled by my webserver? The reason I ask is because I have been informed by a third-party security auditor that my server "allows anonymous authentication", "allows cleartext communication", and "supports weak encryption". I am unable to verify any of these claims on my own.
Here is my information Apache: 1.3.27 mod_ssl: mod_ssl/2.8.12-1.3.27 openssl: openssl-0.9.6g OS: Solaris 8 Here are my relevant SSL directives from httpd.conf: SSLEngine on SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 According to /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' the supported ciphers for my server are: EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 But apparently I am also supporting: ADH-DES-CBC-SHA DES-CBC-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 NULL-MD5 NULL-SHA Is the security auditor full of it? How can I verify their results from an external machine (they've scanned the network from an external box)? Thanks, -- Steve Chadsey <[EMAIL PROTECTED]> ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]