Is it okay to not use exportable ciphers?

For the sake of security, I'd like to configure my SSL/TLS server to
not allow export level ciphers (using the SSLCipherSuite directive).
Is this going to realistically limit the number of people who can use
a secure connection to my site? Specifically, will visitors from other
countries (outside the US) be able to support the stronger
(non-exportable) ciphers?

Thanks,
-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Is it okay to not use exportable ciphers?

--Apple-Mail-15--241354717
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit


On Aug 20, 2009, at 3:16 PM, Brian Mearns wrote:

> For the sake of security, I'd like to configure my SSL/TLS server to
> not allow export level ciphers (using the SSLCipherSuite directive).
> Is this going to realistically limit the number of people who can use
> a secure connection to my site? Specifically, will visitors from other
> countries (outside the US) be able to support the stronger
> (non-exportable) ciphers?


You can configure a logfile to record what ciphers your users are
currently using, and draw conclusions from that.

S.

--
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF




--Apple-Mail-15--241354717
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIFMzCCBS8w
ggMXoAMCAQICAwVx1DANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2ln bmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wODA3 MDYxNTQzMzRaFw0x
MDA3MDYxNTQzMzRaMDoxFTATBgNVBAMTDFNhbmRlciBUZW1tZTEhMB8GCSqG SIb3DQEJARYSc2N0
ZW1tZUBhcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAuKsWFApS17cR
51oTARVEphn9w7VKL2p+HqnTJOF7CnihobEp4um9w3c0bcbXruKbjfwzBiaR Av0BGkOezB8XuHpQ
r3abklf7bkvFqYHLaj9ANm2wj2qrUXasaPgsOIXNiPa0qkpxBHk8Of43Q/Jx v4YGF11DvTfXPpbl
qXkJ07pk6fC3MSDAsZc5mdGtIhDY/LGgxr/A6NhwTG3hxwE9zPt/B7v/bctU 4ZWxloeC/eCpCYUU
fk3BGwoU53iEXyMpe/Kz2iIyZe5dimDeOigqC3Cye99EvtjL2ZavRsqL00j5 M9q/MPYh1WsgVOaZ
WxpEnnd+e5kPTjTL7hAbJzv7cwIDAQABo4H+MIH7MAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgEN
BEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFk IG92ZXIgdG8gaHR0
cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEF BQcDAgYKKwYBBAGC
NwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAi BggrBgEFBQcwAYYW
aHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAdBgNVHREEFjAUgRJzY3RlbW1lQGFw YWNoZS5vcmcwDQYJ
KoZIhvcNAQEFBQADggIBAITHPZWMXBXh1rSeQ9yJoMBXr0b5bOxUX3V/KsgY LCTu5d0GNB2HHjcq
dHSxbIm7ezIGxTFA491q9wOHQZmYvQzMV2zQUqLrZmNFYPCC1/Q5Gw43CnYQ 0StGX2frOKNIp7fM
KpXux9jjao8sG1Sa0ubclAx3u50wz3k9mEfFhtrZsYLWbruitZeozslMJhG8 tFoRH7J68QmhnyCK
GniNLSu4K6SykM5DOH3GzDKsbjiPqQ7Y+h8qj309oO81fAWo6JdcVdxivFS7 KgHAt+nQS1oaiSeV
W25idOBsTiwWBxkcfq3DltK0HZe6QWMYYvgq2BoHAwGGy+wHjEk8dc/rtf4H Anpee/3Quc3lN+IK
UHYC2RlgtG2JirizdUhkxdsaw6Vl+yk3FvduWJUZjEh7zBMKRUoSOlo6i8Ap CNSgHk1QQSI2wPqs
gltpxhQ8B3wCdUNbywntZVyaNp5CgmkBxOs330nkl+jQsZvE5XmYyZt20W6S uCaV1YYHHducXdc/
DNUrSdsdw2nNmVOqZ3xC53UXX/tuPquLqLbSs2W1vtbCAsdzTalNbqG64OrG 74I2C191RM05l2jp
AHfoz+9OZ+7q2pSGYdbACxY3Rke2s7jqPD/X9aukO50ZDibLEGW8wdL+0yxZ LGaR2zJ9K8yo4YuO
09oUHORRtY0WoMRX0FFTMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9v dCBDQTEeMBwGA1UE
CxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9y
aXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwVx1DAJ BgUrDgMCGgUAoIIB
hzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w OTA4MjAxOTI0Mjha
MCMGCSqGSIb3DQEJBDEWBBRHRuNXhsYJ/xH3cB2MIKhOx+1LOTCBkQYJKwYB BAGCNxAEMYGDMIGA
MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2Fj ZXJ0Lm9yZzEiMCAG
A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBj
YWNlcnQub3JnAgMFcdQwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNV BAoTB1Jvb3QgQ0Ex
HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0Eg Q2VydCBTaWduaW5n
IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3Jn AgMFcdQwDQYJKoZI
hvcNAQEBBQAEggEAntPqPs5ZEolBOUdt1EpMKESP7PG4iKkuM04+vm30VcGJ 4sa6ciW1uEQwNWwo
v1iMAQVPzouIJHaXr1tYA9I/HPGkBWVVLGBBjcUEEtF1Jmrk2xF0hT6PeLSI p0vAfSR57uBcmwHo
JM4zx7fzydTPWJNnz1CfNMil+PNO84+1jQydkviGxUwNuFdQTVzLG6moHNYI RWuywIvmuBDWmF9u
k83jjLfTvBLGVA9jATaGxpOJO79+uPX+Ziw3yod60COEl033ccVBTTFBmoIO FBuie5gu4HMc7Eex
nQKrhhZMwvOML4JUNzo7SE2msEUTML7+5rXjkvhAwZTN6L3WcuajoQAAAAAA AA==

--Apple-Mail-15--241354717--

Re: Is it okay to not use exportable ciphers?

On Thu, Aug 20, 2009 at 3:24 PM, Sander Temme wrote:
>
> On Aug 20, 2009, at 3:16 PM, Brian Mearns wrote:
>
>> For the sake of security, I'd like to configure my SSL/TLS server to
>> not allow export level ciphers (using the SSLCipherSuite directive).
>> Is this going to realistically limit the number of people who can use
>> a secure connection to my site? Specifically, will visitors from other
>> countries (outside the US) be able to support the stronger
>> (non-exportable) ciphers?
>
>
> You can configure a logfile to record what ciphers your users are currently
> using, and draw conclusions from that.
>
> S.
[clip]

Good idea, but I'm not currently getting many users. I'm thinking in
the long term, I don't want to lock out potential visitors just
because they're using weak crypto.

-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

how to purge/invalidate a site (including all itsobjects) or simply just an object from mod_cache

Hi everyone!

I found the thread below.

http://httpd.markmail.org/message/b3iz6vhy3h7a3oox?q=3Dpurge +invalidate

Is this the best way to purge/invalidate a site (including all its objects =
and succeeding URLs) or simply just an object from mod_cache? If so, how d=
o I use the patch? Otherwise, can you point me to the right direction?

Thank you in advance.

Regards,
jyanga

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Is it okay to not use exportable ciphers?

On 08/20/2009 03:40 PM, Brian Mearns wrote:
> On Thu, Aug 20, 2009 at 3:24 PM, Sander Temme wrote:
>
>> On Aug 20, 2009, at 3:16 PM, Brian Mearns wrote:
>>
>>
>>> For the sake of security, I'd like to configure my SSL/TLS server to
>>> not allow export level ciphers (using the SSLCipherSuite directive).
>>> Is this going to realistically limit the number of people who can use
>>> a secure connection to my site? Specifically, will visitors from other
>>> countries (outside the US) be able to support the stronger
>>> (non-exportable) ciphers?
>>>
>>
>> You can configure a logfile to record what ciphers your users are currently
>> using, and draw conclusions from that.
>>
>> S.
>>
> [clip]
>
> Good idea, but I'm not currently getting many users. I'm thinking in
> the long term, I don't want to lock out potential visitors just
> because they're using weak crypto.
>
> -Brian
>
>


Brian,

Have you considered using Apache's "SGC"? There's a nice little blurb
about it in the Apache Docs.[
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#upgradee nc ]

"How can I create an SSL server which accepts strong encryption only,
but allows export browsers to upgrade to stronger encryption?"

--Sal


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Is it okay to not use exportable ciphers?

On 20.08.09 15:16, Brian Mearns wrote:
> For the sake of security, I'd like to configure my SSL/TLS server to
> not allow export level ciphers (using the SSLCipherSuite directive).
> Is this going to realistically limit the number of people who can use
> a secure connection to my site? Specifically, will visitors from other
> countries (outside the US) be able to support the stronger
> (non-exportable) ciphers?

I did not have received and problem reports with setting:

SSLCipherSuite DEFAULT:!EXP:!LOW

for some time.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org