On 03.11.2013 18:27, Viktor Dukhovni wrote:
On Sun, Nov 03, 2013 at 06:18:38PM +0100, Walter H. wrote:
how would I define forward-secrecy on Apache webserver?
If the server negotiated both ciphers, it already supports
forward-secrecy (aka PFS) if the client does too.
What about a browser that shows this
SSL_CIPHER=RC4-MD5
SSL_CIPHER_ALGKEYSIZE=128
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=128
SSL_COMPRESS_METHOD=NULL
SSL_PROTOCOL=TLSv1
SSL_SECURE_RENEG=true
Your server supports PFS, some browsers don't. Or prefer non-PFS
cipher-suites to PFS. Default settings of OpenSSL 1.0.0 or later
have sensibly ordered ciphersuites. Sufficiently recent versions
of Apache enable EDH/EECDH (aka PFS) cipher-suites by setting
appropriate parameters ((p,g) pairs or named curves).
Ok, I understand; how good is this encryption in comparison
to the other two I mentioned before?
what does SSL_SECURE_RENEG say to me?
some browsers show true, some show false ...
Thanks,
Walter
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
