Hello Igor, Thanks a lot for excellent suggestion...
We will raise this concern to our client. However, There are many third party servers that are connecting to our webserver, This will take time I guess. Hence we will try configuring the following for time being and check if the new client with DES-CBC-SHA is able to connect to our webserver. !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM I will again need your help, If the new client is unable to connect. THanks again... 2011/12/8 Igor Galić <[email protected]> > > > ----- Original Message ----- > > Hi Igor, > > > > Thanks a zillion. > > > > I understand from your mail that the following 2 cipher suites will > > work with the existing and the new clinet configurations. > > > > Kindly correct me if I m wrong. > > > > > 1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > 2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM > > > > However the first cipher suite contains MD5, which is not preferable > > due to security reasons. > > > > Hence we can use the second cipher, which is same as the first > > cipher(both the clients those who are using RC4+RSA and the > > DES-CBC-SHA will be able to have a successful ssl handshake), but > > this one is more secured compared to the first one. > > > > If we add the second cipher suite. does the configuration look as > > following ? : > > SSLProtocol +SSLv3 > > SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM > > SSLHonorCipherOrder on > > igalic@tynix ~ % openssl ciphers -v ' > !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM' > DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 > RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 > igalic@tynix ~ % > > SSLProtocol +SSLv3 is not very useful in this case, because > SSLProtocol defaults to "all", so, to all, you're adding SSLv3, > but that's already contained in "all", so it'll be ignored. > > One way or the other, the ciphersuite you're selecting will give you SSLv3 > *only* anyway! AND it will limit you to exactly two ciphers. In effect, > this: > > does the same: > > igalic@tynix ~ % openssl ciphers -v '!MD5:DES-CBC-SHA:RC4+RSA' > DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 > RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 > igalic@galic % > > > Please let me know if I m not clear. > > > My question is still: Why do you have to narrow your cipher suite down > *so* much? - Is there a sane way to upgrade the clients such that they > support modern, more secure, or just: *more* ciphers? > > i > > -- > Igor Galić > > Tel: +43 (0) 664 886 22 883 > Mail: [email protected] > URL: http://brainsware.org/ > GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [email protected] > " from the digest: [email protected] > For additional commands, e-mail: [email protected] > >
