SSLProtocol vs SSLCipherSuite

I guess I may be confused as to the relationship between these to
directives in the Apache 2 httpd.conf file.

Specifically, will SSLCipherSuite directive take precedence over the
SSLProtocol directive?

For Example;

If I have omitted the SSLProtocol directive entirely. But I have
something like this in my SSLCipherSuite directive,

SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL

Does this not allow any SSLv2 traffic to my server?

Any info or help is greatly appreciated.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSLProtocol vs SSLCipherSuite

On 27.07.09 09:02, Capstone wrote:
> Specifically, will SSLCipherSuite directive take precedence over the
> SSLProtocol directive?

no.

> If I have omitted the SSLProtocol directive entirely. But I have
> something like this in my SSLCipherSuite directive,
>
> SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL
>
> Does this not allow any SSLv2 traffic to my server?

it only disbles low ciphers. I think I also disable EXPORT ciphers...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSLProtocol vs SSLCipherSuite

--001636a4518a6339230470289416
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

First time post. I am new to Apache, MySQL, and PHP.

I've installed Apache (2.2.11), MySQL(5.1.36)and PHP(5.2.10) on my laptop
(operating system: Windows XP Home Edition). I can see the Apache icon on
the right lower corner, but when the mouse is moved to the icon, the prompt
says: "No services installed". Once I click the Apache icon, I open the
Apache Monitor Window and can see a lot of services have started, including
HTTP SSL and MySQ.

I wrote a small "Hello, World" php file ending with .php, but I cannot see
the Hello, World" with FireFox.

Could someone give me some hint what went wrong, please?

Sincere thanks in advance.



On Sat, Aug 1, 2009 at 5:57 PM, Matus UHLAR - fantomas wrote:

> On 27.07.09 09:02, Capstone wrote:
> > Specifically, will SSLCipherSuite directive take precedence over the
> > SSLProtocol directive?
>
> no.
>
> > If I have omitted the SSLProtocol directive entirely. But I have
> > something like this in my SSLCipherSuite directive,
> >
> > SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL
> >
> > Does this not allow any SSLv2 traffic to my server?
>
> it only disbles low ciphers. I think I also disable EXPORT ciphers...
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> A day without sunshine is like, night.
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--001636a4518a6339230470289416
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

First time post.   I am new to Apache, MySQL, and PHP.

I've=
installed Apache (2.2.11), MySQL(5.1.36)and PHP(5.2.10) on my laptop (oper=
ating system: Windows XP Home Edition).=A0 I can see the Apache icon on the=
right lower corner, but when the mouse is moved to the icon, the prompt sa=
ys: "No services installed".=A0 Once I click the Apache icon, I o=
pen the Apache Monitor Window and can see a lot of services have started, i=
ncluding HTTP SSL and MySQ.=A0


I wrote a small "Hello, World" php file ending with .php, but=
I cannot see the Hello, World" with FireFox.

Could someone gi=
ve me some hint what went wrong, please?=A0



Sincere thanks in advance.

Re: SSLProtocol vs SSLCipherSuite

On Sun, Aug 2, 2009 at 6:24 AM, De Ren wrote:
> First time post.   I am new to Apache, MySQL, and PHP.
>
> I've installed Apache (2.2.11), MySQL(5.1.36)and PHP(5.2.10) on my laptop
> (operating system: Windows XP Home Edition).  I can see the Apache i=
con on
> the right lower corner, but when the mouse is moved to the icon, the prom=
pt
> says: "No services installed".  Once I click the Apache icon, I open=
the
> Apache Monitor Window and can see a lot of services have started, includi=
ng
> HTTP SSL and MySQ.
>
> I wrote a small "Hello, World" php file ending with .php, but I cannot se=
e
> the Hello, World" with FireFox.
>
> Could someone give me some hint what went wrong, please?
>
> Sincere thanks in advance.
>
>
>
> On Sat, Aug 1, 2009 at 5:57 PM, Matus UHLAR - fantomas >
> wrote:
>>
>> On 27.07.09 09:02, Capstone wrote:
>> > Specifically,  will SSLCipherSuite directive take precedence over=
the
>> > SSLProtocol directive?
>>
>> no.
>>
>> > If I have omitted the SSLProtocol directive entirely. But I have
>> > something like this in my SSLCipherSuite directive,
>> >
>> > SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL
>> >
>> > Does this not allow any SSLv2 traffic to my server?
>>
>> it only disbles low ciphers. I think I also disable EXPORT ciphers...
>> --
>> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> A day without sunshine is like, night.
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Projec=
t.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.o=
rg
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>

Please start a new thread instead of of hijacking an old one.
My suspicion is that you haven't installed mod_php, though I'm not
sure how things work on Windows. Could you be more precise with this
sentence:

>> but I cannot see the "Hello World"

do you see anything at all? possibly the static text of the source
code? Any error messages, anything logged to the error log..

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSLProtocol vs SSLCipherSuite

De Ren wrote:
> First time post. I am new to Apache, MySQL, and PHP.

That's quite a lot to be new about, all at the same time.
An old African proverb says : "To eat an elephant, you must do it one
little bit at a time".
....
> Could someone give me some hint what went wrong, please?
>
Yes. You took a too big bite to start with, and you are obviously
choking on it.

De-install the lot, and start here :

http://httpd.apache.org/docs/2.2/platform/windows.html

Really read that page and follow the instructions.
Toward the end of the page, it tells you how to test if your Apache is
working. If it is not, then come back here and outline what you did,
what you expected, and what doesn't happen.

Once you get Apache running, then you can tackle PHP.
One you have PHP running, then you can tackle MySQL.

Don't use forums like this one as a substitute for reading the available
on-line documentation. Some nice and helpful and competent people have
spent a lot of their own time writing this; ignoring it is not nice.
Asking people here to repeat it, is not nice either.



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSLProtocol vs SSLCipherSuite

I may not have been clear on my question so I am reposting, hopefully
in a more clear manner,... I apologize if this is bad practice.

I would like clarification as to whether the SSLProtocol directive is
absolutely necessary when trying to achieve the highest level of
security when configuring Apache.

Can the SSLCipherSuite directive overwrite what is designated in the
SSLProtocol directive?

For example:

SSLProtocol SSLv2

SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL


Would the SSLCipherSuite directive above prevent SSLv2 from being used?

Thanks in advance.



On Jul 27, 2009, at 9:02 AM, Capstone wrote:

> I guess I may be confused as to the relationship between these to
> directives in the Apache 2 httpd.conf file.
>
> Specifically, will SSLCipherSuite directive take precedence over
> the SSLProtocol directive?
>
> For Example;
>
> If I have omitted the SSLProtocol directive entirely. But I have
> something like this in my SSLCipherSuite directive,
>
> SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL
>
> Does this not allow any SSLv2 traffic to my server?
>
> Any info or help is greatly appreciated.
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSLProtocol vs SSLCipherSuite

On Tue, Aug 18, 2009 at 10:36 AM,
Capstone wrote:
> I may not have been clear on my question so I am reposting, hopefully in a
> more clear manner,... I apologize if this is bad practice.
>
> I would like clarification as to whether the SSLProtocol directive is
> absolutely necessary when trying to achieve the highest level of security
> when configuring Apache.
>
> Can the SSLCipherSuite directive overwrite what is designated in the
> SSLProtocol directive?
>
> For example:
>
> SSLProtocol SSLv2
>
> SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL

Try it and see?

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSLProtocol vs SSLCipherSuite

Not quite sure what you want to achieve even though the question is semi-cl=
ear.

If your real intention is to disallow SSLv2 (which you should in this
day and age) and only support SSLv3 and above, you could do this


SSLProtocol -ALL +SSLv3 +TLSv1
then follow by ciphers suite

e.g. SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIU=
M



On Tue, Aug 18, 2009 at 7:41 AM, Eric Covener wrote:
> On Tue, Aug 18, 2009 at 10:36 AM,
> Capstone wrote:
>> I may not have been clear on my question so I am reposting, hopefully in=
a
>> more clear manner,... I apologize if this is bad practice.
>>
>> I would like clarification as to whether the SSLProtocol directive is
>> absolutely necessary when trying to achieve the highest level of securit=
y
>> when configuring Apache.
>>
>> Can the SSLCipherSuite directive overwrite what is designated in the
>> SSLProtocol directive?
>>
>> For example:
>>
>> SSLProtocol SSLv2
>>
>> SSLCipherSuite TLSv1:SSLv3:+HIGH:+MEDIUM:!LOW:!NULL
>
> Try it and see?
>
> --
> Eric Covener
> covener@gmail.com
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org