From: Igor Galić <igalic@apache.org>
Date: Wed, 11 Apr 2012 11:30:09 +0000 (+0000)
Subject: pr#51958 : mod_ssl documentation is confusing re. SSLCipherSuite Directive
X-Git-Tag: 2.5.0-alpha~7206
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=41216526ff8c1b15c00df3e2315d30ee5454e691;p=apache

pr#51958 : mod_ssl documentation is confusing re. SSLCipherSuite Directive

clarify SSLCipherSuite behaviour by describing an example cipher suite from
our current configuration (courtesy to pquerna) and show output using an
OpenSSL version this century.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1324707 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index df1671a6ae..045c21b9e3 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -717,22 +717,23 @@ prefixes are:</p>
 -v</code>'' command which provides a nice way to successively create the
 correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
 depends on the version of the OpenSSL libraries used. Let's suppose it is
-``<code>ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
-means the following: first, remove from consideration any ciphers that do not
-authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next,
-use ciphers using RC4 and RSA. Next include the high, medium and then the low
-security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
-end of the list.</p>
+``<code>RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5</code>'' which
+means the following: Put <code>RC4-SHA</code> and <code>AES128-SHA</code> at
+the beginning. We do this, because these ciphers offer a good compromise
+between speed and security. Next, include high and medium security ciphers.
+Finally, remove all ciphers which do not authenticate, i.e. for SSL the
+Anonymous Diffie-Hellman ciphers, as well as all ciphers which use
+<code>MD5</code> as hash algorithm, because it has been proven insufficient.</p>
 <example>
 <pre>
-$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
-NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
-NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
-EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
+$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'
+RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
+AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
+DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
 ...                     ...               ...     ...           ...
-EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
-EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
-EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
+SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
+PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
+KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
 </pre>
 </example>
 <p>The complete list of particular RSA &amp; DH ciphers for SSL is given in <a