Re: Verifying enabled ciphers?
One more question regarding the SSLCipherSuite line. Our security auditor recommended that we change the line SSLCipherSuite HIGH:MEDIUM:!ADH to SSLCipherSuite HIGH:MEDIUM:-ADH:-aNULL What is the difference? openssl ciphers -v 'HIGH:MEDIUM:!ADH' and openssl ciphers -v 'HIGH:MEDIUM:-ADH:-aNULL' both return the same cipher list. Is there a practical difference in the two directives? Thanks, -- Steve [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Thu, Jan 30, 2003 at 11:38:04AM -0700, Steve Chadsey wrote: One more question regarding the SSLCipherSuite line. Our security auditor recommended that we change the line SSLCipherSuite HIGH:MEDIUM:!ADH to SSLCipherSuite HIGH:MEDIUM:-ADH:-aNULL What is the difference? openssl ciphers -v 'HIGH:MEDIUM:!ADH' and openssl ciphers -v 'HIGH:MEDIUM:-ADH:-aNULL' both return the same cipher list. Is there a practical difference in the two directives? Hmm, not now. aNULL is equivalent to ADH, as Anonymous DH ciphers are the only aNULL ciphers supported. If at any point in the future an anonymous cipher without DH would be added (does such thing exist?), it might make a difference. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Fri, Jan 24, 2003 at 09:30:28AM -, [EMAIL PROTECTED] wrote: Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers. OK. I did that, and the only one I support is RC4 with MD5. Strange, I thought I would be able to support more. Actually, to amend my previous post, the ones I expected to see were: EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DHE-DSS-RC4-SHA IDEA-CBC-SHA RC4-SHA RC4-MD5 since I have SSLv2 shut off. Would the above list be further limited by the type (RSA / DSA) key I have? It is RSA. To unpack the terms: allows anonymous authentication - That sounds like allowing anyone to I believe they mean Anonymous Diffie-Helman. My SSLCipherSuite line excludes those, so I think they're wrong here. allows cleartext communication - That's what you get on non-secured sites. If the data doesn't need to be secured, there's no issue. I believe they are referring to the NULL-MD5 cipher. I tested that with s_client, and I can't connect ('handshake failure'), so I don't believe I'm supporting that one either. supports weak encryption - Allows older browsers that have export-crippled security to connect. On the above Netcraft site, you'll see export version. The question for you is whether it is satisfactory to Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according to my SSLCipherSuite line. To follow up to Lutz, I tested all the ciphers with s_client against my server. The ones that I connected with were: DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA IDEA-CBC-SHA RC4-MD5 RC4-SHA This is a shorter list than what I was expecting (at the top of this message). The following did not connect, giving me a 'handshake failure': ADH-DES-CBC3-SHA ADH-DES-CBC-SHA ADH-RC4-MD5 DES-CBC-SHA DHE-DSS-RC4-SHA EDH-DSS-DES-CBC3-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 The following gave me 'illegal parameter': DES-CBC3-MD5 DES-CBC-MD5 IDEA-CBC-MD5 RC2-CBC-MD5 RC4-64-MD5 Thanks, -- Steve [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Mon, Jan 27, 2003 at 10:47:27AM -0700, Steve Chadsey wrote: On Fri, Jan 24, 2003 at 09:30:28AM -, [EMAIL PROTECTED] wrote: Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers. OK. I did that, and the only one I support is RC4 with MD5. Strange, I thought I would be able to support more. Actually, to amend my previous post, the ones I expected to see were: EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DHE-DSS-RC4-SHA IDEA-CBC-SHA RC4-SHA RC4-MD5 since I have SSLv2 shut off. Would the above list be further limited by the type (RSA / DSA) key I have? It is RSA. Yes, it is limited by the key. Without a DSA key, you cannot use DSS ciphers. Therefore being left: EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA IDEA-CBC-SHA RC4-SHA RC4-MD5 Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according to my SSLCipherSuite line. To follow up to Lutz, I tested all the ciphers with s_client against my server. The ones that I connected with were: DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA IDEA-CBC-SHA RC4-MD5 RC4-SHA See above :-) The following gave me 'illegal parameter': DES-CBC3-MD5 DES-CBC-MD5 IDEA-CBC-MD5 RC2-CBC-MD5 RC4-64-MD5 These ciphers are SSLv2 ciphers. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers. To unpack the terms: allows anonymous authentication - That sounds like allowing anyone to visit your site, since I've never heard of anonymous auth for http, only ftp. Of course, the evil IIS uses a specific account for anonymous access (supposedly to protect your filesystem, but it's pants), which might be what they are thinking of. allows cleartext communication - That's what you get on non-secured sites. If the data doesn't need to be secured, there's no issue. supports weak encryption - Allows older browsers that have export-crippled security to connect. On the above Netcraft site, you'll see export version. The question for you is whether it is satisfactory to exclude older browsers from your websites. We've decided it isn't, so we stick with the export ciphers. It's true that they could be compromised in some way, but if there are users out there who are using ancient browsers then they probably have no up to date anti-virus protection either, so this is the least of their worries. You'll need more information about all of these one from your auditor, rather than just sweeping statements. We had a security auditor recently who said much the same. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (or an oblate sphere for the pedants). -Original Message- From: Steve Chadsey [mailto:[EMAIL PROTECTED]] Sent: 24 January 2003 02:10 To: [EMAIL PROTECTED] Subject: Verifying enabled ciphers? How can I verify the ciphers enabled by my webserver? The reason I ask is because I have been informed by a third-party security auditor that my server allows anonymous authentication, allows cleartext communication, and supports weak encryption. I am unable to verify any of these claims on my own. Here is my information Apache: 1.3.27 mod_ssl: mod_ssl/2.8.12-1.3.27 openssl: openssl-0.9.6g OS: Solaris 8 Here are my relevant SSL directives from httpd.conf: SSLEngine on SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 According to /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' the supported ciphers for my server are: EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHASSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 But apparently I am also supporting: ADH-DES-CBC-SHA DES-CBC-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 NULL-MD5 NULL-SHA Is the security auditor full of it? How can I verify their results from an external machine (they've scanned the network from an external box)? Thanks, -- Steve Chadsey [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those
RE: Verifying enabled ciphers?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (or an oblate sphere for the pedants). Perhaps. But this is not why we believe it to be round. We know it is a sphere from observations we make on the surface. For instance, ships sailing away from port disappear from the bottom up (Columbus knew that). The main evidence comes from the fact that the angle of elevation of astronomical bodies sighted at the same time in different places varies in a way that can only be explained if we are on the surface of a sphere. In any case, billions of people have seen at first-hand photos of the Earth from space. Are we to assume all photos are always faked? Rgds, Owen Boyle PS I liked your one about Alexander Graham Bell :-) This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
-Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED]] Sent: 24 January 2003 10:09 To: [EMAIL PROTECTED] Subject: RE: Verifying enabled ciphers? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (or an oblate sphere for the pedants). Perhaps. But this is not why we believe it to be round. We know it is a sphere from observations we make on the surface. For instance, ships sailing away from port disappear from the bottom up (Columbus knew that). The main evidence comes from the fact that the angle of elevation of astronomical bodies sighted at the same time in different places varies in a way that can only be explained if we are on the surface of a sphere. In any case, billions of people have seen at first-hand photos of the Earth from space. Are we to assume all photos are always faked? Rgds, Owen Boyle PS I liked your one about Alexander Graham Bell :-) I heard the quote about Alexander Graham Bell on Classic FM, and couldn't resist using it. Ironically, most of the time he turned his telephone off as it disturbed his work. Indeed, there is evidence that the earth is curved. I've seen it myself 6 miles up in an aircraft. However, there are still only 430 people (that figure comes from NASA staffer Catherine Watson), and not many women among them, who've seen the earth as round for themselves. A cynic may well claim that pictures of the Earth from space are faked. After all, that claim has been levelled against the Bible for years (and every year, more and more evidence is uncovered to support its authenticity. eg http://news.bbc.co.uk/1/hi/world/middle_east/2655781.stm, although their statement about it being the first piece of physical evidence needs taking with a large pinch of salt) Incidentally, I was bought Origin of Species for Christmas, and I'm reading through it properly. I hadn't read that much of it, and what I had read was from quotes by other people. Which is probably where most believers in Evolution are at, simply following the flock. His section on problems with the theory is interesting, as those problems are still true, and there are many more problems too. John - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
Apologies for the last message everyone. I thought I was sending it personally, and not to the list. Must pay more attention in the mornings. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (OK pedants, an oblate sphere). - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
On Fri, 24 Jan 2003 [EMAIL PROTECTED] wrote: [SNIP] A cynic may well claim that pictures of the Earth from space are faked. After all, that claim has been levelled against the Bible for years (and every year, more and more evidence is uncovered to support its authenticity. eg http://news.bbc.co.uk/1/hi/world/middle_east/2655781.stm, although their statement about it being the first piece of physical evidence needs taking with a large pinch of salt) Are you saying the bible isn't spherical??!! gryn Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
What round? Wow! That's news too me. Now I can resume my travels as I had paused for conscerns of walking off the edge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (or an oblate sphere for the pedants). Perhaps. But this is not why we believe it to be round. We know it is a sphere from observations we make on the surface. For instance, ships sailing away from port disappear from the bottom up (Columbus knew that). The main evidence comes from the fact that the angle of elevation of astronomical bodies sighted at the same time in different places varies in a way that can only be explained if we are on the surface of a sphere. In any case, billions of people have seen at first-hand photos of the Earth from space. Are we to assume all photos are always faked? Rgds, Owen Boyle PS I liked your one about Alexander Graham Bell :-) This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verifying enabled ciphers?
How can I verify the ciphers enabled by my webserver? The reason I ask is because I have been informed by a third-party security auditor that my server allows anonymous authentication, allows cleartext communication, and supports weak encryption. I am unable to verify any of these claims on my own. Here is my information Apache: 1.3.27 mod_ssl: mod_ssl/2.8.12-1.3.27 openssl: openssl-0.9.6g OS: Solaris 8 Here are my relevant SSL directives from httpd.conf: SSLEngine on SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 According to /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' the supported ciphers for my server are: EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHASSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 But apparently I am also supporting: ADH-DES-CBC-SHA DES-CBC-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 NULL-MD5 NULL-SHA Is the security auditor full of it? How can I verify their results from an external machine (they've scanned the network from an external box)? Thanks, -- Steve Chadsey [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Thu, Jan 23, 2003 at 07:10:26PM -0700, Steve Chadsey wrote: How can I verify the ciphers enabled by my webserver? The reason I ask is because I have been informed by a third-party security auditor that my server allows anonymous authentication, allows cleartext communication, and supports weak encryption. I am unable to verify any of these claims on my own. Here is my information Apache: 1.3.27 mod_ssl: mod_ssl/2.8.12-1.3.27 openssl: openssl-0.9.6g OS: Solaris 8 Here are my relevant SSL directives from httpd.conf: SSLEngine on SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 According to /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' the supported ciphers for my server are: EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHASSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 But apparently I am also supporting: ADH-DES-CBC-SHA DES-CBC-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 NULL-MD5 NULL-SHA Is the security auditor full of it? How can I verify their results from an external machine (they've scanned the network from an external box)? Try to connect using openssl s_client -connect hostname:443 -cipher ADH-DES-CBC-SHA to see, if it really succeeds. With respect to your seetings it better should not. Unfortunately the server-info handler does not list the enabled ciphers for crosschecking. The SSLv3/TLSv1 specification says that the client has to list its supported ciphers, so from the protocol side of view the only option indeed is to test connections with the ciphers in question. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]