Verifying enabled ciphers?

How can I verify the ciphers enabled by my webserver?

The reason I ask is because I have been informed by a third-party
security auditor that my server "allows anonymous authentication",
"allows cleartext communication", and "supports weak encryption".
I am unable to verify any of these claims on my own.

Here is my information
Apache: 1.3.27
mod_ssl: mod_ssl/2.8.12-1.3.27
openssl: openssl-0.9.6g
OS: Solaris 8

Here are my relevant SSL directives from httpd.conf:
SSLEngine on
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2

According to
/usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH'
the supported ciphers for my server are:
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

But apparently I am also supporting:
ADH-DES-CBC-SHA
DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
EDH-RSA-DES-CBC-SHA
EXP1024-DES-CBC-SHA
EXP1024-DHE-DSS-DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
NULL-MD5
NULL-SHA

Is the security auditor full of it? How can I verify their results
from an external machine (they've scanned the network from an
external box)?

Thanks,
--
Steve Chadsey
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Verifying enabled ciphers?

On Thu, Jan 23, 2003 at 07:10:26PM -0700, Steve Chadsey wrote:
> How can I verify the ciphers enabled by my webserver?
>
> The reason I ask is because I have been informed by a third-party
> security auditor that my server "allows anonymous authentication",
> "allows cleartext communication", and "supports weak encryption".
> I am unable to verify any of these claims on my own.
>
> Here is my information
> Apache: 1.3.27
> mod_ssl: mod_ssl/2.8.12-1.3.27
> openssl: openssl-0.9.6g
> OS: Solaris 8
>
> Here are my relevant SSL directives from httpd.conf:
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM:!ADH
> SSLProtocol all -SSLv2
>
> According to
> /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH'
> the supported ciphers for my server are:
> EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
> DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
> DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1
> IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
> RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
> IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
> RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
> RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
>
> But apparently I am also supporting:
> ADH-DES-CBC-SHA
> DES-CBC-SHA
> EDH-DSS-DES-CBC-SHA
> EDH-RSA-DES-CBC-SHA
> EXP1024-DES-CBC-SHA
> EXP1024-DHE-DSS-DES-CBC-SHA
> EXP1024-DHE-DSS-RC4-SHA
> EXP1024-RC2-CBC-MD5
> EXP1024-RC4-MD5
> EXP1024-RC4-SHA
> EXP-ADH-DES-CBC-SHA
> EXP-ADH-RC4-MD5
> EXP-DES-CBC-SHA
> EXP-EDH-DSS-DES-CBC-SHA
> EXP-EDH-RSA-DES-CBC-SHA
> EXP-RC2-CBC-MD5
> EXP-RC4-MD5
> NULL-MD5
> NULL-SHA
>
> Is the security auditor full of it? How can I verify their results
> from an external machine (they've scanned the network from an
> external box)?

Try to connect using
openssl s_client -connect hostname:443 -cipher ADH-DES-CBC-SHA
to see, if it really succeeds. With respect to your seetings it
better should not.
Unfortunately the server-info handler does not list the enabled ciphers
for crosschecking. The SSLv3/TLSv1 specification says that the client
has to list its supported ciphers, so from the protocol side of view
the only option indeed is to test connections with the ciphers in
question.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Verifying enabled ciphers?

Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers.

To unpack the terms:

"allows anonymous authentication" - That sounds like allowing anyone to
visit your site, since I've never heard of anonymous auth for http, only
ftp. Of course, the evil IIS uses a specific account for "anonymous" access
(supposedly to protect your filesystem, but it's pants), which might be what
they are thinking of.

"allows cleartext communication" - That's what you get on non-secured sites.
If the data doesn't need to be secured, there's no issue.

"supports weak encryption" - Allows older browsers that have
"export-crippled" security to connect. On the above Netcraft site, you'll
see "export version". The question for you is whether it is satisfactory to
exclude older browsers from your websites. We've decided it isn't, so we
stick with the export ciphers. It's true that they could be compromised in
some way, but if there are users out there who are using ancient browsers
then they probably have no up to date anti-virus protection either, so this
is the least of their worries.

You'll need more information about all of these one from your auditor,
rather than just sweeping statements.

We had a security auditor recently who said much the same.


-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Nearly everything we believe is second hand. For example, less than 500
people have seen the Earth from space, yet the majority of people believe it
is round (or an oblate sphere for the pedants).

> -----Original Message-----
> From: Steve Chadsey [mailto:tyr@teiresias.net]
> Sent: 24 January 2003 02:10
> To: modssl-users@modssl.org
> Subject: Verifying enabled ciphers?
>
>
> How can I verify the ciphers enabled by my webserver?
>
> The reason I ask is because I have been informed by a third-party
> security auditor that my server "allows anonymous authentication",
> "allows cleartext communication", and "supports weak encryption".
> I am unable to verify any of these claims on my own.
>
> Here is my information
> Apache: 1.3.27
> mod_ssl: mod_ssl/2.8.12-1.3.27
> openssl: openssl-0.9.6g
> OS: Solaris 8
>
> Here are my relevant SSL directives from httpd.conf:
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM:!ADH
> SSLProtocol all -SSLv2
>
> According to
> /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH'
> the supported ciphers for my server are:
> EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA
> Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS
> Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA
> Enc=3DES(168) Mac=SHA1
> DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA
> Enc=3DES(168) Mac=MD5
> DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS
> Enc=RC4(128) Mac=SHA1
> IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA
> Enc=IDEA(128) Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA
> Enc=RC4(128) Mac=SHA1
> RC4-MD5 SSLv3 Kx=RSA Au=RSA
> Enc=RC4(128) Mac=MD5
> IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA
> Enc=IDEA(128) Mac=MD5
> RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA
> Enc=RC2(128) Mac=MD5
> RC4-MD5 SSLv2 Kx=RSA Au=RSA
> Enc=RC4(128) Mac=MD5
>
> But apparently I am also supporting:
> ADH-DES-CBC-SHA
> DES-CBC-SHA
> EDH-DSS-DES-CBC-SHA
> EDH-RSA-DES-CBC-SHA
> EXP1024-DES-CBC-SHA
> EXP1024-DHE-DSS-DES-CBC-SHA
> EXP1024-DHE-DSS-RC4-SHA
> EXP1024-RC2-CBC-MD5
> EXP1024-RC4-MD5
> EXP1024-RC4-SHA
> EXP-ADH-DES-CBC-SHA
> EXP-ADH-RC4-MD5
> EXP-DES-CBC-SHA
> EXP-EDH-DSS-DES-CBC-SHA
> EXP-EDH-RSA-DES-CBC-SHA
> EXP-RC2-CBC-MD5
> EXP-RC4-MD5
> NULL-MD5
> NULL-SHA
>
> Is the security auditor full of it? How can I verify their results
> from an external machine (they've scanned the network from an
> external box)?
>
> Thanks,
> --
> Steve Chadsey
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Verifying enabled ciphers?

>-----Original Message-----
>From: John.Airey@rnib.org.uk [mailto:John.Airey@rnib.org.uk]
>
>Nearly everything we believe is second hand. For example, less than 500
>people have seen the Earth from space, yet the majority of
>people believe it is round (or an oblate sphere for the pedants).
>

Perhaps. But this is not why we believe it to be round. We know it is a
sphere from observations we make on the surface. For instance, ships
sailing away from port disappear from the bottom up (Columbus knew
that). The main evidence comes from the fact that the angle of elevation
of astronomical bodies sighted at the same time in different places
varies in a way that can only be explained if we are on the surface of a
sphere.

In any case, billions of people have seen at first-hand photos of the
Earth from space. Are we to assume all photos are always faked?

Rgds,

Owen Boyle

PS I liked your one about Alexander Graham Bell :-)

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Verifying enabled ciphers?

> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@swx.com]
> Sent: 24 January 2003 10:09
> To: modssl-users@modssl.org
> Subject: RE: Verifying enabled ciphers?
>
>
> >-----Original Message-----
> >From: John.Airey@rnib.org.uk [mailto:John.Airey@rnib.org.uk]
> >
> >Nearly everything we believe is second hand. For example,
> less than 500
> >people have seen the Earth from space, yet the majority of
> >people believe it is round (or an oblate sphere for the pedants).
> >
>
> Perhaps. But this is not why we believe it to be round. We
> know it is a
> sphere from observations we make on the surface. For instance, ships
> sailing away from port disappear from the bottom up (Columbus knew
> that). The main evidence comes from the fact that the angle
> of elevation
> of astronomical bodies sighted at the same time in different places
> varies in a way that can only be explained if we are on the
> surface of a
> sphere.
>
> In any case, billions of people have seen at first-hand photos of the
> Earth from space. Are we to assume all photos are always faked?
>
> Rgds,
>
> Owen Boyle
>
> PS I liked your one about Alexander Graham Bell :-)
>
I heard the quote about Alexander Graham Bell on Classic FM, and couldn't
resist using it. Ironically, most of the time he turned his telephone off as
it disturbed his work.

Indeed, there is "evidence" that the earth is curved. I've seen it myself 6
miles up in an aircraft. However, there are still only 430 people (that
figure comes from NASA staffer Catherine Watson), and not many women among
them, who've seen the earth as round for themselves.

A cynic may well claim that pictures of the Earth from space are faked.
After all, that claim has been levelled against the Bible for years (and
every year, more and more evidence is uncovered to support its authenticity.
eg http://news.bbc.co.uk/1/hi/world/middle_east/2655781.stm, although their
statement about it being the "first" piece of physical evidence needs taking
with a large pinch of salt)

Incidentally, I was bought Origin of Species for Christmas, and I'm reading
through it properly. I hadn't read that much of it, and what I had read was
from quotes by other people. Which is probably where most "believers" in
Evolution are at, simply following the flock.

His section on problems with the theory is interesting, as those problems
are still true, and there are many more problems too.

John


-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Verifying enabled ciphers?

Apologies for the last message everyone. I thought I was sending it
personally, and not to the list.

Must pay more attention in the mornings.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Nearly everything we believe is second hand. For example, less than 500
people have seen the Earth from space, yet the majority of people believe it
is round (OK pedants, an oblate sphere).

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Verifying enabled ciphers?

On Fri, 24 Jan 2003 John.Airey@rnib.org.uk wrote:

[SNIP]

> A cynic may well claim that pictures of the Earth from space are faked.
> After all, that claim has been levelled against the Bible for years (and
> every year, more and more evidence is uncovered to support its authenticity.
> eg http://news.bbc.co.uk/1/hi/world/middle_east/2655781.stm, although their
> statement about it being the "first" piece of physical evidence needs taking
> with a large pinch of salt)
>

Are you saying the bible isn't spherical??!!


Thanks,

Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Verifying enabled ciphers?

What round? Wow! That's news too me. Now I can resume my travels as I had
paused for conscerns of walking off the edge....
> >-----Original Message-----
> >From: John.Airey@rnib.org.uk [mailto:John.Airey@rnib.org.uk]
> >
> >Nearly everything we believe is second hand. For example, less than 500
> >people have seen the Earth from space, yet the majority of
> >people believe it is round (or an oblate sphere for the pedants).
> >
>
> Perhaps. But this is not why we believe it to be round. We know it is a
> sphere from observations we make on the surface. For instance, ships
> sailing away from port disappear from the bottom up (Columbus knew
> that). The main evidence comes from the fact that the angle of elevation
> of astronomical bodies sighted at the same time in different places
> varies in a way that can only be explained if we are on the surface of a
> sphere.
>
> In any case, billions of people have seen at first-hand photos of the
> Earth from space. Are we to assume all photos are always faked?
>
> Rgds,
>
> Owen Boyle
>
> PS I liked your one about Alexander Graham Bell :-)
>
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
> If you receive this message in error, please notify the sender urgently
> and then immediately delete the message and any copies of it from your
> system. Please also immediately destroy any hardcopies of the message.
> You must not, directly or indirectly, use, disclose, distribute, print,
> or copy any part of this message if you are not the intended recipient.
> The sender's company reserves the right to monitor all e-mail
> communications through their networks. Any views expressed in this
> message are those of the individual sender, except where the message
> states otherwise and the sender is authorised to state them to be the
> views of the sender's company.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Verifying enabled ciphers?

On Fri, Jan 24, 2003 at 09:30:28AM -0000, John.Airey@rnib.org.uk wrote:
> Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers.
>

OK. I did that, and the only one I support is "RC4 with MD5". Strange, I
thought I would be able to support more. Actually, to amend my previous
post, the ones I expected to see were:

EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-DSS-RC4-SHA
IDEA-CBC-SHA
RC4-SHA
RC4-MD5

since I have SSLv2 shut off. Would the above list be further limited
by the type (RSA / DSA) key I have? It is RSA.


> To unpack the terms:
>
> "allows anonymous authentication" - That sounds like allowing anyone to

I believe they mean Anonymous Diffie-Helman. My SSLCipherSuite line
excludes those, so I think they're wrong here.

> "allows cleartext communication" - That's what you get on non-secured sites.
> If the data doesn't need to be secured, there's no issue.

I believe they are referring to the NULL-MD5 cipher. I tested that
with s_client, and I can't connect ('handshake failure'), so I don't
believe I'm supporting that one either.

>
> "supports weak encryption" - Allows older browsers that have
> "export-crippled" security to connect. On the above Netcraft site, you'll
> see "export version". The question for you is whether it is satisfactory to

Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according
to my SSLCipherSuite line.

To follow up to Lutz, I tested all the ciphers with s_client against
my server. The ones that I connected with were:

DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
IDEA-CBC-SHA
RC4-MD5
RC4-SHA

This is a shorter list than what I was expecting (at the top of
this message).

The following did not connect, giving me a 'handshake failure':
ADH-DES-CBC3-SHA
ADH-DES-CBC-SHA
ADH-RC4-MD5
DES-CBC-SHA
DHE-DSS-RC4-SHA
EDH-DSS-DES-CBC3-SHA
EDH-DSS-DES-CBC-SHA
EDH-RSA-DES-CBC-SHA
EXP1024-DES-CBC-SHA
EXP1024-DHE-DSS-DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

The following gave me 'illegal parameter':
DES-CBC3-MD5
DES-CBC-MD5
IDEA-CBC-MD5
RC2-CBC-MD5
RC4-64-MD5


Thanks,
--
Steve
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Verifying enabled ciphers?

On Mon, Jan 27, 2003 at 10:47:27AM -0700, Steve Chadsey wrote:
> On Fri, Jan 24, 2003 at 09:30:28AM -0000, John.Airey@rnib.org.uk wrote:
> > Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers.
> >
>
> OK. I did that, and the only one I support is "RC4 with MD5". Strange, I
> thought I would be able to support more. Actually, to amend my previous
> post, the ones I expected to see were:
>
> EDH-RSA-DES-CBC3-SHA
> EDH-DSS-DES-CBC3-SHA
> DES-CBC3-SHA
> DHE-DSS-RC4-SHA
> IDEA-CBC-SHA
> RC4-SHA
> RC4-MD5
>
> since I have SSLv2 shut off. Would the above list be further limited
> by the type (RSA / DSA) key I have? It is RSA.

Yes, it is limited by the key. Without a DSA key, you cannot use DSS ciphers.
Therefore being left:
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
IDEA-CBC-SHA
RC4-SHA
RC4-MD5

> Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according
> to my SSLCipherSuite line.
>
> To follow up to Lutz, I tested all the ciphers with s_client against
> my server. The ones that I connected with were:
>
> DES-CBC3-SHA
> EDH-RSA-DES-CBC3-SHA
> IDEA-CBC-SHA
> RC4-MD5
> RC4-SHA

See above :-)

> The following gave me 'illegal parameter':
> DES-CBC3-MD5
> DES-CBC-MD5
> IDEA-CBC-MD5
> RC2-CBC-MD5
> RC4-64-MD5

These ciphers are SSLv2 ciphers.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Verifying enabled ciphers?

One more question regarding the SSLCipherSuite line. Our security
auditor recommended that we change the line
SSLCipherSuite HIGH:MEDIUM:!ADH
to
SSLCipherSuite HIGH:MEDIUM:-ADH:-aNULL

What is the difference?
openssl ciphers -v 'HIGH:MEDIUM:!ADH'
and
openssl ciphers -v 'HIGH:MEDIUM:-ADH:-aNULL'

both return the same cipher list. Is there a practical difference
in the two directives?

Thanks,
--
Steve
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Verifying enabled ciphers?

On Thu, Jan 30, 2003 at 11:38:04AM -0700, Steve Chadsey wrote:
> One more question regarding the SSLCipherSuite line. Our security
> auditor recommended that we change the line
> SSLCipherSuite HIGH:MEDIUM:!ADH
> to
> SSLCipherSuite HIGH:MEDIUM:-ADH:-aNULL
>
> What is the difference?
> openssl ciphers -v 'HIGH:MEDIUM:!ADH'
> and
> openssl ciphers -v 'HIGH:MEDIUM:-ADH:-aNULL'
>
> both return the same cipher list. Is there a practical difference
> in the two directives?

Hmm, not now.

aNULL is equivalent to ADH, as Anonymous DH ciphers are the only aNULL
ciphers supported. If at any point in the future an anonymous cipher
without DH would be added (does such thing exist?), it might make
a difference.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org