On Sun, Nov 03, 2013 at 06:18:38PM +0100, Walter H. wrote:
> > >how would I define forward-secrecy on Apache webserver?
> >
> > If the server negotiated both ciphers, it already supports
> > forward-secrecy (aka PFS) if the client does too.
>
> What about a browser that shows this
>
> SSL_CIPHER=RC4-MD5
> SSL_CIPHER_ALGKEYSIZE=128
> SSL_CIPHER_EXPORT=false
> SSL_CIPHER_USEKEYSIZE=128
> SSL_COMPRESS_METHOD=NULL
> SSL_PROTOCOL=TLSv1
> SSL_SECURE_RENEG=true
Your server supports PFS, some browsers don't. Or prefer non-PFS
cipher-suites to PFS. Default settings of OpenSSL 1.0.0 or later
have sensibly ordered ciphersuites. Sufficiently recent versions
of Apache enable EDH/EECDH (aka PFS) cipher-suites by setting
appropriate parameters ((p,g) pairs or named curves).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
