Re: Verifying enabled ciphers?

Mon, 27 Jan 2003 09:42:33 -0800 

On Fri, Jan 24, 2003 at 09:30:28AM -0000, [EMAIL PROTECTED] wrote:
> Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers.
> 

OK.  I did that, and the only one I support is "RC4 with MD5".  Strange, I
thought I would be able to support more.  Actually, to amend my previous
post, the ones I expected to see were:

EDH-RSA-DES-CBC3-SHA 
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-DSS-RC4-SHA
IDEA-CBC-SHA
RC4-SHA
RC4-MD5

since I have SSLv2 shut off.  Would the above list be further limited
by the type (RSA / DSA) key I have?  It is RSA.


> To unpack the terms:
>  
> "allows anonymous authentication" - That sounds like allowing anyone to

I believe they mean Anonymous Diffie-Helman.  My SSLCipherSuite line
excludes those, so I think they're wrong here.

> "allows cleartext communication" - That's what you get on non-secured sites.
> If the data doesn't need to be secured, there's no issue.

I believe they are referring to the NULL-MD5 cipher.  I tested that
with s_client, and I can't connect ('handshake failure'), so I don't
believe I'm supporting that one either.

> 
> "supports weak encryption" - Allows older browsers that have
> "export-crippled" security to connect. On the above Netcraft site, you'll
> see "export version". The question for you is whether it is satisfactory to

Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according
to my SSLCipherSuite line.  

To follow up to Lutz, I tested all the ciphers with s_client against
my server.  The ones that I connected with were:

DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
IDEA-CBC-SHA
RC4-MD5
RC4-SHA

This is a shorter list than what I was expecting (at the top of
this message).

The following did not connect, giving me a 'handshake failure':
ADH-DES-CBC3-SHA 
ADH-DES-CBC-SHA
ADH-RC4-MD5
DES-CBC-SHA
DHE-DSS-RC4-SHA
EDH-DSS-DES-CBC3-SHA
EDH-DSS-DES-CBC-SHA
EDH-RSA-DES-CBC-SHA
EXP1024-DES-CBC-SHA
EXP1024-DHE-DSS-DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

The following gave me 'illegal parameter':
DES-CBC3-MD5
DES-CBC-MD5
IDEA-CBC-MD5
RC2-CBC-MD5
RC4-64-MD5


Thanks,
-- 
Steve <[EMAIL PROTECTED]>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to