On Thu, Feb 12, 2004 at 02:30:06PM -0000, Daniel Eggleston wrote:
> Hello all,
>
> I would like our secure server to default to 3DES 168-bit high
> encryption for SSL sessions, but with the ability to fall back to 128-
> bit RC4 _only_ if the client doesn't support 3DES. My current cipher-
> spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my
> version of OpenSSL, equates to:
>
> EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-
> MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5
>
> Is it possible to construct a cipher-spec string that will make
> Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are
> 'offered' by the client (most clients seem to offer RC4 ciphers before
> 3DES ones in the 'Client Hello').
>
> It seems that unless I completely disable RC4 on the server, it always
> gets chosen ahead of 3DES :-( This is my first post here so thanks in
> advance for any help.
There is no such way by modifying the cipher suite.
The server always chooses the first ciphersuite supported by the server
according to the list sent by the client.
OpenSSL 0.9.7 does support an option to change this behaviour such that
the server's preferences are used, but to my best knowledge there is no
switch in mod_ssl to set this flag.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
