Hello all, I would like our secure server to default to 3DES 168-bit high encryption for SSL sessions, but with the ability to fall back to 128- bit RC4 _only_ if the client doesn't support 3DES. My current cipher- spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my version of OpenSSL, equates to:
EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3- MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5 Is it possible to construct a cipher-spec string that will make Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are 'offered' by the client (most clients seem to offer RC4 ciphers before 3DES ones in the 'Client Hello'). It seems that unless I completely disable RC4 on the server, it always gets chosen ahead of 3DES :-( This is my first post here so thanks in advance for any help. Kind Regards, Daniel Eggleston Senior Network Developer Boxing Orange Ltd t: 0871 871 2774 f: 0871 871 0068 [EMAIL PROTECTED] http://www.boxingorange.com/ This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
