From 41216526ff8c1b15c00df3e2315d30ee5454e691 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Igor=20Gali=C4=87?= Date: Wed, 11 Apr 2012 11:30:09 +0000 Subject: [PATCH] pr#51958 : mod_ssl documentation is confusing re. SSLCipherSuite Directive clarify SSLCipherSuite behaviour by describing an example cipher suite from our current configuration (courtesy to pquerna) and show output using an OpenSSL version this century. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1324707 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_ssl.xml | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index df1671a6ae..045c21b9e3 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -717,22 +717,23 @@ prefixes are:

-v'' command which provides a nice way to successively create the correct cipher-spec string. The default cipher-spec string depends on the version of the OpenSSL libraries used. Let's suppose it is -``ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'' which -means the following: first, remove from consideration any ciphers that do not -authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next, -use ciphers using RC4 and RSA. Next include the high, medium and then the low -security ciphers. Finally pull all SSLv2 and export ciphers to the -end of the list.

+``RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'' which +means the following: Put RC4-SHA and AES128-SHA at +the beginning. We do this, because these ciphers offer a good compromise +between speed and security. Next, include high and medium security ciphers. +Finally, remove all ciphers which do not authenticate, i.e. for SSL the +Anonymous Diffie-Hellman ciphers, as well as all ciphers which use +MD5 as hash algorithm, because it has been proven insufficient.

-$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
-NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
-NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
-EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
+$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'
+RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
+AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
+DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
 ...                     ...               ...     ...           ...
-EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
-EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
-EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
+SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
+PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
+KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1

The complete list of particular RSA & DH ciphers for SSL is given in