Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers.
To unpack the terms: "allows anonymous authentication" - That sounds like allowing anyone to visit your site, since I've never heard of anonymous auth for http, only ftp. Of course, the evil IIS uses a specific account for "anonymous" access (supposedly to protect your filesystem, but it's pants), which might be what they are thinking of. "allows cleartext communication" - That's what you get on non-secured sites. If the data doesn't need to be secured, there's no issue. "supports weak encryption" - Allows older browsers that have "export-crippled" security to connect. On the above Netcraft site, you'll see "export version". The question for you is whether it is satisfactory to exclude older browsers from your websites. We've decided it isn't, so we stick with the export ciphers. It's true that they could be compromised in some way, but if there are users out there who are using ancient browsers then they probably have no up to date anti-virus protection either, so this is the least of their worries. You'll need more information about all of these one from your auditor, rather than just sweeping statements. We had a security auditor recently who said much the same. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (or an oblate sphere for the pedants). > -----Original Message----- > From: Steve Chadsey [mailto:[EMAIL PROTECTED]] > Sent: 24 January 2003 02:10 > To: [EMAIL PROTECTED] > Subject: Verifying enabled ciphers? > > > How can I verify the ciphers enabled by my webserver? > > The reason I ask is because I have been informed by a third-party > security auditor that my server "allows anonymous authentication", > "allows cleartext communication", and "supports weak encryption". > I am unable to verify any of these claims on my own. > > Here is my information > Apache: 1.3.27 > mod_ssl: mod_ssl/2.8.12-1.3.27 > openssl: openssl-0.9.6g > OS: Solaris 8 > > Here are my relevant SSL directives from httpd.conf: > SSLEngine on > SSLCipherSuite HIGH:MEDIUM:!ADH > SSLProtocol all -SSLv2 > > According to > /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' > the supported ciphers for my server are: > EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA > Enc=3DES(168) Mac=SHA1 > EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS > Enc=3DES(168) Mac=SHA1 > DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA > Enc=3DES(168) Mac=SHA1 > DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA > Enc=3DES(168) Mac=MD5 > DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS > Enc=RC4(128) Mac=SHA1 > IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA > Enc=IDEA(128) Mac=SHA1 > RC4-SHA SSLv3 Kx=RSA Au=RSA > Enc=RC4(128) Mac=SHA1 > RC4-MD5 SSLv3 Kx=RSA Au=RSA > Enc=RC4(128) Mac=MD5 > IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA > Enc=IDEA(128) Mac=MD5 > RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA > Enc=RC2(128) Mac=MD5 > RC4-MD5 SSLv2 Kx=RSA Au=RSA > Enc=RC4(128) Mac=MD5 > > But apparently I am also supporting: > ADH-DES-CBC-SHA > DES-CBC-SHA > EDH-DSS-DES-CBC-SHA > EDH-RSA-DES-CBC-SHA > EXP1024-DES-CBC-SHA > EXP1024-DHE-DSS-DES-CBC-SHA > EXP1024-DHE-DSS-RC4-SHA > EXP1024-RC2-CBC-MD5 > EXP1024-RC4-MD5 > EXP1024-RC4-SHA > EXP-ADH-DES-CBC-SHA > EXP-ADH-RC4-MD5 > EXP-DES-CBC-SHA > EXP-EDH-DSS-DES-CBC-SHA > EXP-EDH-RSA-DES-CBC-SHA > EXP-RC2-CBC-MD5 > EXP-RC4-MD5 > NULL-MD5 > NULL-SHA > > Is the security auditor full of it? How can I verify their results > from an external machine (they've scanned the network from an > external box)? > > Thanks, > -- > Steve Chadsey <[EMAIL PROTECTED]> > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
