-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jens,
On 1/22/2010 12:30 PM, Jens Neu wrote: > Christopher, > > my "Problem" is that I have a requirement that SSLv2 shall be forbidden, > but not SSLv3 and TLS. On top, also forbidden are ciphers <=128bit. I was > hoping to tackle this with > > SSLProtocol="TLSv1+SSLv3" > SSLCipher="-ALL:+HIGH:+MEDIUM" > > without manually selecting all ciphers. Since I'm on apr/openssl, I assume > that my available ciphers are what gives me "openssl ciphers"? > So this leaves me with no other option than crawling through all the > ciphers? Certainly looking forward to it ;-) How about SSLCipher="-ALL:+HIGH:+MEDIUM:!SSLv2"? The APR documentation points you to the openssl documentation for reference. The above SSLCipher yields: $ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g' ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 Are those acceptable? You don't have to list all the ciphers if you don't want to. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM =mFDc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org