force mod_ssl to choose 3DES over RC4 ciphers?

Hello all,

I would like our secure server to default to 3DES 168-bit high
encryption for SSL sessions, but with the ability to fall back to 128-
bit RC4 _only_ if the client doesn't support 3DES. My current cipher-
spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my
version of OpenSSL, equates to:

EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-C BC3-
MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5

Is it possible to construct a cipher-spec string that will make
Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are
'offered' by the client (most clients seem to offer RC4 ciphers before
3DES ones in the 'Client Hello').

It seems that unless I completely disable RC4 on the server, it always
gets chosen ahead of 3DES :-( This is my first post here so thanks in
advance for any help.

Kind Regards,






Daniel Eggleston
Senior Network Developer
Boxing Orange Ltd
t: 0871 871 2774
f: 0871

871 0068

Daniel.Eggleston@boxingorange.com
http://www.boxingorange.com/

This message (and any associated files) is intended only for the
use

of the individual or entity to which it is addressed and may
contain information that is

confidential, subject to copyright or
constitutes a trade secret. If you are not the intended

recipient
you are hereby notified that any dissemination, copying or
distribution of this

message, or files associated with this message,
is strictly prohibited. If you have received this

message in error,
please notify us immediately by replying to the message and deleting
it from

your computer. Messages sent to and from us may be monitored.

Internet communications cannot be guaranteed to be secure or error-free
as

information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or

contain viruses. Therefore, we do not accept
responsibility for any errors or omissions that are

present in this
message, or any attachment, that have arisen as a result of e-mail


transmission. If verification is required, please request a hard-copy
version. Any views or

opinions presented are solely those of the author
and do not necessarily represent those of the

company.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: force mod_ssl to choose 3DES over RC4 ciphers?

On Thu, Feb 12, 2004 at 02:30:06PM -0000, Daniel Eggleston wrote:
> Hello all,
>
> I would like our secure server to default to 3DES 168-bit high
> encryption for SSL sessions, but with the ability to fall back to 128-
> bit RC4 _only_ if the client doesn't support 3DES. My current cipher-
> spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my
> version of OpenSSL, equates to:
>
> EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-C BC3-
> MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5
>
> Is it possible to construct a cipher-spec string that will make
> Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are
> 'offered' by the client (most clients seem to offer RC4 ciphers before
> 3DES ones in the 'Client Hello').
>
> It seems that unless I completely disable RC4 on the server, it always
> gets chosen ahead of 3DES :-( This is my first post here so thanks in
> advance for any help.

There is no such way by modifying the cipher suite.
The server always chooses the first ciphersuite supported by the server
according to the list sent by the client.
OpenSSL 0.9.7 does support an option to change this behaviour such that
the server's preferences are used, but to my best knowledge there is no
switch in mod_ssl to set this flag.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Setting up multiple SSL certs on a mac 10.3 server problems

Hi there,

Having problems setting up multiple certs on a 10.3 box. I've got one
running on the machine yet I can't seem to get any of the others to work I
get this error message:

[Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init:
(www.royalcaribbean.co.uk:16443) Ops, no RSA or DSA server
certificate found?!
[Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init:
(www.royalcaribbean.co.uk:16443) You have to perform a
*full* server restart when you added or removed a
certificate and/or key file
[Thu Feb 12 09:19:28 2004] [error] mod_ssl: Init: Unable to
read server certificate from file
/etc/httpd/ssl.key/royal.crt (OpenSSL library error
follows)
[Thu Feb 12 09:19:28 2004] [error] OpenSSL:
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag
[Thu Feb 12 09:19:28 2004] [error] OpenSSL:
error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Thu Feb 12 09:19:34 2004] [error] mod_ssl: Init: Unable to
read server certificate from file
/etc/httpd/ssl.key/royal.crt (OpenSSL library error
follows)
[Thu Feb 12 09:19:34 2004] [error] OpenSSL:
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag
[Thu Feb 12 09:19:34 2004] [error] OpenSSL:
error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error


I know the cert's are OK. Definitely! I've been getting new ones off
Geotrust (the techies there are really helpful!) and I've used everyway
under the sun to input them. Still won't work tho. So I'm thinking the
problem lies somewhere else! Anyone got any idea what could be going wrong?

Thanks

Huw Jenkins

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Setting up multiple SSL certs on a mac 10.3 server problems

On Thu, Feb 12, 2004 at 04:34:08PM +0000, Huw Jenkins wrote:
> Hi there,
>
> Having problems setting up multiple certs on a 10.3 box. I've got one
> running on the machine yet I can't seem to get any of the others to work I
> get this error message:
>
> [Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init:
> (www.royalcaribbean.co.uk:16443) Ops, no RSA or DSA server
> certificate found?!
> [Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init:
> (www.royalcaribbean.co.uk:16443) You have to perform a
> *full* server restart when you added or removed a
> certificate and/or key file
> [Thu Feb 12 09:19:28 2004] [error] mod_ssl: Init: Unable to
> read server certificate from file
> /etc/httpd/ssl.key/royal.crt (OpenSSL library error
> follows)
> [Thu Feb 12 09:19:28 2004] [error] OpenSSL:
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag
> [Thu Feb 12 09:19:28 2004] [error] OpenSSL:
> error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
> [Thu Feb 12 09:19:34 2004] [error] mod_ssl: Init: Unable to
> read server certificate from file
> /etc/httpd/ssl.key/royal.crt (OpenSSL library error
> follows)
> [Thu Feb 12 09:19:34 2004] [error] OpenSSL:
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag
> [Thu Feb 12 09:19:34 2004] [error] OpenSSL:
> error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>
>
> I know the cert's are OK. Definitely! I've been getting new ones off
> Geotrust (the techies there are really helpful!) and I've used everyway
> under the sun to input them. Still won't work tho. So I'm thinking the
> problem lies somewhere else! Anyone got any idea what could be going wrong?

The error message indicates, that the contents of the certificate cannot
be correctly parsed. You should be able to verify this with the
openssl command line tool:
openssl x509 -in /etc/httpd/ssl.key/royal.crt -text
If the certificate is ok, you should see its contents here. But as the
tool is using the same routines as mod_ssl...

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Setting up multiple SSL certs on a mac 10.3 server problems

> From: Lutz Jaenicke
> Organization: BTU Cottbus, Allgemeine Elektrotechnik
> Reply-To: modssl-users@modssl.org
> Date: Fri, 13 Feb 2004 08:32:17 +0100
> To: modssl-users@modssl.org
> Subject: Re: Setting up multiple SSL certs on a mac 10.3 server problems
>
> On Thu, Feb 12, 2004 at 04:34:08PM +0000, Huw Jenkins wrote:
>> Hi there,
>>
>> Having problems setting up multiple certs on a 10.3 box. I've got one
>> running on the machine yet I can't seem to get any of the others to work I
>> get this error message:
>>
>> [Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init:
>> (www.royalcaribbean.co.uk:16443) Ops, no RSA or DSA server
>> certificate found?!
>> [Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init:
>> (www.royalcaribbean.co.uk:16443) You have to perform a
>> *full* server restart when you added or removed a
>> certificate and/or key file
>> [Thu Feb 12 09:19:28 2004] [error] mod_ssl: Init: Unable to
>> read server certificate from file
>> /etc/httpd/ssl.key/royal.crt (OpenSSL library error
>> follows)
>> [Thu Feb 12 09:19:28 2004] [error] OpenSSL:
>> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
>> tag
>> [Thu Feb 12 09:19:28 2004] [error] OpenSSL:
>> error:0D07803A:asn1 encoding
>> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>> [Thu Feb 12 09:19:34 2004] [error] mod_ssl: Init: Unable to
>> read server certificate from file
>> /etc/httpd/ssl.key/royal.crt (OpenSSL library error
>> follows)
>> [Thu Feb 12 09:19:34 2004] [error] OpenSSL:
>> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
>> tag
>> [Thu Feb 12 09:19:34 2004] [error] OpenSSL:
>> error:0D07803A:asn1 encoding
>> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>>
>>
>> I know the cert's are OK. Definitely! I've been getting new ones off
>> Geotrust (the techies there are really helpful!) and I've used everyway
>> under the sun to input them. Still won't work tho. So I'm thinking the
>> problem lies somewhere else! Anyone got any idea what could be going wrong?
>
> The error message indicates, that the contents of the certificate cannot
> be correctly parsed. You should be able to verify this with the
> openssl command line tool:
> openssl x509 -in /etc/httpd/ssl.key/royal.crt -text
> If the certificate is ok, you should see its contents here. But as the
> tool is using the same routines as mod_ssl...
>
> Best regards,
> Lutz

Having done this I've noticed that all the new files I have received from
GeoTrust have the same result. I'm assuming that they can't all be bad!
Therefore after many days of trying everything I must resort to the thought
that my mod_ssl version and apache version are not right. I personally
haven't updates either since I got another site working on that machine. But
at this stage I can't rule anything out. Just quickly, how do I find out
what version of apache and mod_ssl I'm running? I know that modssl.org will
tell me what I need to know with regard to what is compatible with what. I
just need to know what I'm running. Also does openssl have to be a correct
version? If so how do I find that out?

Any help would be gratefully received!

Regards

Huw

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Setting up multiple SSL certs on a mac 10.3 server problems

On Wed, Feb 18, 2004 at 11:37:17AM +0000, Huw Jenkins wrote:
> >> I know the cert's are OK. Definitely! I've been getting new ones off
> >> Geotrust (the techies there are really helpful!) and I've used everyway
> >> under the sun to input them. Still won't work tho. So I'm thinking the
> >> problem lies somewhere else! Anyone got any idea what could be going wrong?
> >
> > The error message indicates, that the contents of the certificate cannot
> > be correctly parsed. You should be able to verify this with the
> > openssl command line tool:
> > openssl x509 -in /etc/httpd/ssl.key/royal.crt -text
> > If the certificate is ok, you should see its contents here. But as the
> > tool is using the same routines as mod_ssl...
> >
> > Best regards,
> > Lutz
>
> Having done this I've noticed that all the new files I have received from
> GeoTrust have the same result. I'm assuming that they can't all be bad!
> Therefore after many days of trying everything I must resort to the thought
> that my mod_ssl version and apache version are not right. I personally
> haven't updates either since I got another site working on that machine. But
> at this stage I can't rule anything out. Just quickly, how do I find out
> what version of apache and mod_ssl I'm running? I know that modssl.org will
> tell me what I need to know with regard to what is compatible with what. I
> just need to know what I'm running. Also does openssl have to be a correct
> version? If so how do I find that out?

I am not completely sure that I understand your results. I assume that you
mean: "yes, openssl x509 .. also fails".
I am not familiar with MacOS X. Apache and mod_ssl (version to be found in
the logfile when starting) actually do call openssl's libraries for the
certificate handling, so the problem should be in the OpenSSL version
installed. (See "openssl version" for version information.)
The problem seems to be with the certificates which do carry public information,
so that you could post them so that other people can investigate
them and report.
Even better: if the problem can be reproduce with openssl alone, do post
your problem to the openssl-users@openssl.org mailing list.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org