On Thu, Oct 10, 2002 at 01:08:01PM +0200, Carl D'Halluin wrote: > Now one could expect that the server takes the cipher from this intersection, which >is the first in its SSLCipherSuite settings, or maybe that the server takes the >strongest common cipher. However > this is not true: the server just takes the first supported cipher requested by the >client.
This is the default behaviour of OpenSSL. > The funny thing is that most clients first present their weak ciphers, and next >their strong ciphers. This makes that all strong browsers speaking with most ssl >servers, will always speak a very weak > cipher. > > I think mod_ssl or openssl should be tuned to use their SSLCipherSuite config to >choose the cipher, instead of using the client config. > > I found a reference on this in a thread from 1998 > http://marc.theaimsgroup.com/?l=apache-ssl&m=91231283120300&w=2 > > Apparently this is not considered a problem, although I consider this a change >request for mod_ssl and/or openssl. OpenSSL as of 0.9.7 does have the necessary option to change this default. Set SSL_OP_CIPHER_SERVER_PREFERENCE with SSL_CTX_set_options(). However: as far as I am aware, mod_ssl does not yet have a httpd.conf option to enable this flag. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]