Hello all, I quote the mod_ssl documentation present at http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9
"An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1 cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use, one can either specify all the Ciphers, one at a time, or use aliases to specify the preference and order for the ciphers (see Table 1). " There it says "use aliases to specify the preference and order for the ciphers". I wonder what is meant by this. My problem emerged with a Netscape browser which can speak both weak and strong ciphers. In the SSL handshake it presents all these ciphers. Next, the apache server takes his set of supported ciphers, and makes the intersection between his set and the set of the client. Now one could expect that the server takes the cipher from this intersection, which is the first in its SSLCipherSuite settings, or maybe that the server takes the strongest common cipher. However this is not true: the server just takes the first supported cipher requested by the client. The funny thing is that most clients first present their weak ciphers, and next their strong ciphers. This makes that all strong browsers speaking with most ssl servers, will always speak a very weak cipher. I think mod_ssl or openssl should be tuned to use their SSLCipherSuite config to choose the cipher, instead of using the client config. I found a reference on this in a thread from 1998 http://marc.theaimsgroup.com/?l=apache-ssl&m=91231283120300&w=2 Apparently this is not considered a problem, although I consider this a change request for mod_ssl and/or openssl. Kind regards, -- __________________________________________________ Carl D'Halluin - Product Manager DMZ/Shield We secure e-business. http://www.ubizen.com tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 Ubizen - Ubicenter - Philipssite 5 - B-3001 Leuven - Belgium __________________________________________________ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
