Which SSL Directives to use?

Which SSL Directives to use?

am 17.02.2010 08:08:01 von NT984

I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL
Cert on my site. My existing configuration uses the following directives:

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2
SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert
SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt

In the Network Solutions instructions, it recommends using the following:
SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt

In the http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl
documentation , it states the following:

SSLCertificateChainFile
This should be used alternatively and/or additionally to
SSLCACertificatePath for explicitly constructing the server certificate
chain which is sent to the browser in addition to the server certificate. It
is especially useful to avoid conflicts with CA certificates when using
client authentication. Because although placing a CA certificate of the
server certificate chain into SSLCACertificatePath has the same effect for
the certificate chain construction, it has the side-effect that client
certificates issued by this same CA certificate are also accepted on client
authentication.

Example:
SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt

SSLCACertificateFile
This directive sets the all-in-one file where you can assemble the
Certificates of Certification Authorities (CA) whose clients you deal with.
These are used for Client Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
SSLCACertificatePath.

Example
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt


My question is... should I include both directives in my configuration? Is
there an advantage to doing so? Now that I am upgrading, do I need to
consider modification of my SSLCipherSuite setting?

Any help would be appreciated.

Thx. nt
--
View this message in context: http://old.nabble.com/Which-SSL-Directives-to-use--tp2761835 8p27618358.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Which SSL Directives to use?

am 17.02.2010 14:39:07 von Crypto Sal

On 02/17/2010 02:08 AM, NT984 wrote:
> I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL
> Cert on my site. My existing configuration uses the following directives:
>
> SSLEngine on
> SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2
> SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert
> SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
> SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt
>
> In the Network Solutions instructions, it recommends using the following:
> SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt
> SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
> SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt
>
> In the http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl
> documentation , it states the following:
>
> SSLCertificateChainFile
> This should be used alternatively and/or additionally to
> SSLCACertificatePath for explicitly constructing the server certificate
> chain which is sent to the browser in addition to the server certificate. It
> is especially useful to avoid conflicts with CA certificates when using
> client authentication. Because although placing a CA certificate of the
> server certificate chain into SSLCACertificatePath has the same effect for
> the certificate chain construction, it has the side-effect that client
> certificates issued by this same CA certificate are also accepted on client
> authentication.
>
> Example:
> SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
>
> SSLCACertificateFile
> This directive sets the all-in-one file where you can assemble the
> Certificates of Certification Authorities (CA) whose clients you deal with.
> These are used for Client Authentication. Such a file is simply the
> concatenation of the various PEM-encoded Certificate files, in order of
> preference. This can be used alternatively and/or additionally to
> SSLCACertificatePath.
>
> Example
> SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
>
>
> My question is... should I include both directives in my configuration? Is
> there an advantage to doing so? Now that I am upgrading, do I need to
> consider modification of my SSLCipherSuite setting?
>
> Any help would be appreciated.
>
> Thx. nt
>


NT,

You should use SSLCertificateChainFile if you're on Apache2.2. If you're
on Apache 1.x, then typically you'll want to use SSLCACertificateFile.
In Apache2, SSLCACertificate file is for Client Authentication, whereas
in earlier versions it was for CertificateAuthority. Earlier versions of
Apache 2.0 were able to use both interchangeably. Do not use both at the
same time. Only if you're doing Client Authentication.

As far as your cipher suite goes... You'll also want to disable MD5
based ciphers. (Opera 9.x will warn of weak ciphers in use as there are
a few MD5 based in SSLv3/TLSv1.x)

Hope this helps,

--Sal



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org